Creating Parsed Data Alerts

Parsed Data alerts are created differently from other alert types.

There is no Parsed Data alert type to select in the interface; its creation is based on a Pre-defined Search Filter alert. The Filter specifies matching values that are extracted by the parser from the log messages.

To use Parsed Data alert, you need to know the name of the database table where parsed logs are stored along with the column names. You can find the exact column names using the Management > Column Manager page to create the search filter for this alert type. For more information, see Managing Column Manager chapter in the TIBCO LogLogic® Log Management Intelligence Administration Guide. When specifying the matching values, data type should be considered for the relevant table columns. For example, IP addresses must be a numeric type, that is, a 32-bit integer and not the string representation such as 169.1.1.1.

Procedure

  1. Create a Pre-defined Search Filter:
    1. Name the filter.
    2. For filter type, select Use Exact Phrase.
    3. For the DB table, specify _table=. (Only one _table= entry is allowed.)
    4. Specify columns and values to match as name-value pairs separated by commas. For example, this is a string-matching filter:
      _table=Authentication,actionID=2,statusID=4
  2. Create a Pre-defined Search Filter alert:
    1. Name the Search Filter alert with a prefix _parsed. For example, _parsed_Login Failure.
    2. Select the Pre-defined Search Filter you created for this alert.
      Usage notes:
    • Parsed data alerts apply only to messages from configured log sources.
    • Parsed data alerts apply only to the tables configured in the alert.
    • Parsed data alerts are not supported on ST Appliances.
    • Do not configure the same alert for both real-time and pulled data files. Create separate alerts for each, with the same search expression.