Besides the intelligent splitter, ARMS also provides a custom cleansing configurator, which is used for creating your own log cleansing flow to meet complicated splitting requirement.
The custom cleansing configurator works in the what you see is what you get (WYSIWYG) visual configuration mode. This topic explains how to use the custom cleansing configurator.
The user interface of the custom cleansing configurator consists of three areas:
- A: Raw log area
- B: Cleansing flow editing area
- C: Cleansing result preview area
In the cleansing flow editing area (“editing area”), one or more “blocks” are assembled into the log cleansing logic, which “cleanses” the logs in the raw log area into structural key-value (KV) pairs.
While you edit a cleansing flow in the editing area, you can click Log Splitting Preview on the top of the cleansing result preview area (preview area) to preview the KV pairs generated after each line of the raw log is cleansed with the existing cleansing flow.
If the cleansing flow and previewed result are correct, click Next to start the job. ARMS processes each log entry consumed from the data source with the flow saved in the editing area.
This example shows how to configure a simple log cleansing flow.
Assuming that the transaction log of a system is as follows:
Take the first line of the log as an example. Assuming that the log entry is to be split with the following KV pairs:
The KV pairs are separated by vertical bars (|), so we use the single separator splitter to split the KV pairs.
On the left-side tool bar of the editing area, drag and drop the single separator splitter to the editing area, as shown in the following figure.
NOTE: The splitter must be attached to the Start Cleansing module.
About splitting configuration:
- Take “|” as the separator and “_line” as the input parameter (_line indicates the raw log line).
- After splitting, the string at location 0 is converted into a Date value in the format of yyyy-MM-dd HH:mm:ss (the conversion result is actually saved as a Long value on the ARMS console).
- The string at location 1 is converted into a String value whose key is username.
- The string at location 2 is converted into a Long value whose key is userid.
- The string at location 3 is converted into a String value whose key is event.
Click Log Splitting Preview. The splitting result of each log is as follows:
Click Save or Next. The cleansing flow takes effect.
This is how a simple log splitting job works.
This example shows how to split and cleanse a complicated log.
In this example, for different logs, the number of fields and the meanings of fields in the same column vary with operation types. This is common in the business systems. Therefore, logs of different types can be distinguished by the if-then or if-else logic. For more information about the syntax, see Aviator.
About splitting configuration:
- Use the single separator splitter to split the fields
- Then, use the logic module if-then. If the values of event are different, use different single separator splitters to split the fields.
In the preview area, you can find that the KV pairs split from the first line are different from those split from the second line. The KV pairs split from the first line contain username and userid, but those split from the second line contain price.
The preceding two examples only used the single separator splitter. More types of splitters, such as single separator, multi-separator, sequence, KV, and JSON splitters, are shipped with ARMS. In different cases, they can be used separately or in combination. For more information, see Preset splitters.