Creating Message Signatures

Procedure

  1. Access Management > Message Signatures from the navigation menu.
  2. Click the arrow next to the Patterns For field drop-down box and select a device type for which you wish to create a Message Signature.
  3. Click Create. The Message Pattern Editor opens.
    Message Pattern Editor
  4. On the General tab, highlight a message in the lower pane and click it. Your selection will appear in the Sample Message pane.
    Sample Message Selected
  5. Enter a Pattern Name and Description (optional). Enable the pattern.
  6. Click the Field Tags tab.
  7. Highlight a portion of the Sample Message you want to use as a Field Tag and click Define Field. The portion selected will appear grayed-out. The application will recognize your selection as one of 15 common tags in the Tag Library. Further identifying information will appear in the Tag Attributes section. You can edit these entries, or select different choices from the Tag name > : and Extract as: drop-down menus.
    Note: You do not need to specify the Tag name, and description. If <undefined> is specified, the selected tag will only be used to recognize the message but will not be extracted from the message.
    Define Field in Selected Message
  8. Click the Auto-Identify Tags button to automatically identify the available tags for the selected message. Click the Auto-Identify Tags drop-down arrow to specify how to separate the fields. The options are:
    • Comma separated
    • Tab separated
    • Semi-colon separated
    • Pipe separated fields
  9. To edit your grayed-out selection, click on it and click Remove or Remove All. (This does not remove the data; only the grayed-out condition.)
  10. If you select the Literal check box, the pattern matcher will search for that exact substring in the messages. Your selection will appear in bold face type.
    Select Literal Attribute
  11. To create additional tags from your selected message, highlight another portion and click Define Field again. Your second tag candidate will appear grayed-out. Again you may accept or edit the default Name, Description, and Type.
  12. In the Tag Name field, choose an existing field tag or create a new tag or leave it as <undefined>.
  13. To create a new tag, click the button to open Create Field Tag window. Enter the Name and Description fields. Click OK.
  14. Provide a Tag description (optional).
  15. Select the value in the Extract as field from the drop-down menu. For existing fields the value appears automatically.
  16. If you choose the Regular Expression option in the Extract as field, you must enter an expression in the Regex extract field. 

LogLogic supports the following Regular Expression Meta Characters:
    LogLogic Supported Regular Expression Meta characters
    Characters Description
    \a Matches ASCII character code 0x07
    \d Matches character in the set “0123456789”.
    \D Matches any byte not in the set “0123456789”.
    \e Matches ASCII character code 0x1b.
    \f Matches ASCII character code 0x0c
    \n Matches ASCII character code 0x0a.
    \r Matches ASCII character code 0x0d.
    \s Matches white space – \t \n 0x0b \f or \r.
    \S Matches any byte not in \s.
    \t Matches any byte not in 0x09.
    \w Matches any ASCII character in the set underscore, digits, or upper or lower case letter.
    \W Matches any bytes not in\w.
    \xHH Matches a byte specified by the hex code HH. There must be exactly two characters after the \x.
    \Q Starts a quoted region. All meta characters lose their meaning until \E. A \\ can be used to put a backlash into the region.
    \anytime else Matches the next character.
    [] Specifies a character class – match anything inside the brackets. A leading ^ negates the sense of the class – match anything not inside the brackets. Negated character classes are computed from the set of code in the range 0.....127 – in other words no bytes with the high bit set.

    Within a character class the following backslash characters mean the same thing as outside the character class: \a, \d, \D, \e, \f, \n, \r, \s, \S, \t, \w, \W, and \xHH.

    {num} or {num:num} Specifies a repetition count for the previous regular expression. Num must be less than 16. {num} is equivalent to {0:num}.
    . Matches any byte: 0x00 – 0xFF.
    + Specifies that the previous regular expression is repeated 1 or more times.
    * Specifies that the previous regular expression is repeated zero or more times.
    ( ) or (?:) Specifies capturing or non-capturing groups.
    | Specifies alternation.
    ? Specifies that the previous regular expression is repeated zero or one time.
    anything else Any other character matches itself.
  17. Click Event Type tab.
  18. Click the down arrow for Event name and select one from the drop-down menu or create a new event type. Accept the Event description, or edit it.
  19. To create a new event type, click the button to open Create Event Type window. Enter the Name, and Description fields. Click OK.
  20. Click Validation tab, and then click the Validate button.
    Validation Tab - Click Validate
    If the Show Only Matching Messages check box is selected, the messages with the Tag Name is highlighted in color, and the Tag value extracted appears on the right. If the Show Only Matching Messages check box is not selected, all messages appear strike-out for the non-matching message patterns.
  21. Click Save. After a few moments the new Message Signature appears.

Result

The green bullet in the Status column indicates the system is ready to use the new pattern and extract the values in the log data.