'); $("#tabs").tabs({ selected: 1 }); $("#ic-homepage__ic-tips").append( quickTipHTML() ); unhideOneProductTip(); $("#ic-homepage__product-tips").wrapInner('
'); $("#ic-homepage__feed-tips").wrapInner('
'); });
IBM Tivoli Monitoring > Version 6.3 > User's Guides > Log File Agent User's Guide > Format file > Maps IBM Tivoli Monitoring, Version 6.3
Value specifiers
This section describes how the mappings in a format specification assign values to attributes.
The mapping part of a format specification consists of the following types of value specifiers:
- $i
- String constant
- PRINTF statement
- $i
The i indicates the position of a sub expression in a format string. Each sub expression is numbered from 1 to the maximum number of sub expressions in the format string.
The value of a $i value specifier (also known as a variable, slot, or attribute) is the portion of the system log message that is matched by the corresponding sub expression.
In the following example, the log agent translates any log message from the UNIX syslog facility into a syslog event with values assigned to it:
REGEX REGenericSyslog ^([A-Z][a-z]{2}) ([ 0-9][0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*?) (.*?): (.*)$ month $1 date $2 time $3 host $4 service $5 msg $6 END
Each sub expression numbered from $1 to $6 matches an item in parentheses in the regular expression.
Therefore, the following syslog event:
Apr 6 10:03:20 jimmy syslogd 1.4.1: restart.
is assigned the following values:
month=Apr date=6 time=10:03:20 host=jimmy service=syslogd 1.4.1 msg=restart.
For example, in the syslog event, the 10:03:20 value matches the third item in parentheses in the regular expression, so the value is assigned to the $3 time value. Similarly, the jimmy value matches the fourth item in parentheses in the regular expression, so the value is assigned to the $4 host value.
- string constant
The string constant declares that the value of the attribute is the specified string. If the attribute value is a single constant without any spaces, you specify it without surrounding double quotation marks (" ") as shown in the following example:
severity WARNING
Otherwise, if there are spaces in the attribute value, double quotation marks must be used as shown in the following example:
component "Web Server"
- PRINTF statement
The PRINTF statement creates more complex attribute values from other attribute values. The PRINTF statement consists of the keyword PRINTF followed by a printf() C-style format string and one or more attribute names.
The format string supports only the %s component specifier. The values of the attributes that are used in the PRINTF statement must be derived from either a $i value specification or a constant string value specification (you cannot derive them from another PRINTF statement).
Use the value of the argument attributes to compose a new constant string according to the format string. This new constant string becomes the value of the attribute.
Based on the previous example where you defined the REGenericSyslog base class, and the service and msg slots, you can define an attribute called syslog_msg using the PRINTF keyword.
syslog_msg PRINTF("service %s reports %s", service, msg)If the following log message is reported:
Apr 6 10:03:20 jimmy syslogd 1.4.1: restart.
A new constant string is composed containing the attribute values from the format string as shown here:
syslog_msg="service syslogd 1.4.1 reports restart."
Parent topic:
Maps