{"id":131,"date":"2015-01-18T16:57:30","date_gmt":"2015-01-18T16:57:30","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131"},"modified":"2017-11-13T09:07:36","modified_gmt":"2017-11-13T09:07:36","slug":"dissection-modules","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131","title":{"rendered":"Dissection modules"},"content":{"rendered":"

The purpose of dissection modules is to parse data into Orchids event fields.<\/p>\n

Henceforth, dissecting<\/em> will mean the same thing as parsing<\/em>.<\/p>\n

Let us take an example.\u00a0 Imagine you want to give the contents of file \/var\/log\/messages<\/code> as (polled) input to Orchids. This is a file in syslog<\/code> format<\/a>, and you would like Orchids to be able to parse this format. We write:<\/p>\n

INPUT\t\ttextfile\t\"\/var\/log\/messages\"\r\nDISSECT syslog\ttextfile\t\"\/var\/log\/messages\"\r\n<\/pre>\n
in the orchids-inputs.conf<\/code><\/a> configuration file. The first line will tell Orchids
\nto use the textfile<\/code><\/a> input module to read data from file \/var\/log\/messages<\/code>. On reading, say, the following line from \/var\/log\/messages<\/code> (say, line 1065):<\/p>\n
Apr 25 23:22:40 laramie sendmail[102]: NOQUEUE: SYSERR(root): \/etc\/sendmail.cf: line 0: cannot open: No such file or directory\r\n<\/pre>\n
the textfile<\/code><\/a> module alone would produce the event:<\/p>\n\n\n\n\n\n\n\n
Field<\/th>\nContents<\/th>\n<\/tr>\n<\/tbody>\n
.textfile.line_num<\/code><\/td>\n1065<\/td>\n<\/tr>\n
.textfile.file<\/code><\/td>\n\"\/var\/log\/messages\"<\/code><\/td>\n<\/tr>\n
.textfile.line<\/code><\/td>\n\"Apr 25 23:22:40 laramie sendmail[102]: NOQUEUE: SYSERR(root): \/etc\/sendmail.cf: line 0: cannot open: No such file or directory\"<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The second line of our configuration file, DISSECT syslog textfile \"\/var\/log\/messages\"<\/code>, will tell Orchids that for all input lines coming from the same source (\/var\/log\/messages<\/code>) from the same module (textfile<\/code><\/a>), the syslog<\/code><\/a> dissection module should be used to parse the .textfile.line<\/code> string.<\/p>\n
With the aformentioned DISSECT<\/code> directive, the syslog<\/code><\/a> module will add further fields, resulting in the following event, which is then fed to the Orchids engine:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Field<\/th>\nContents<\/th>\n<\/tr>\n<\/tbody>\n
.textfile.line_num<\/code><\/td>\n1065<\/td>\n<\/tr>\n
.textfile.file<\/code><\/td>\n\"\/var\/log\/messages\"<\/code><\/td>\n<\/tr>\n
.textfile.line<\/code><\/td>\n\"Apr 25 23:22:40 laramie sendmail[102]: NOQUEUE: SYSERR(root): \/etc\/sendmail.cf: line 0: cannot open: No such file or directory\"<\/code><\/td>\n<\/tr>\n
.syslog.time<\/code><\/td>\nApril 25, 23:22:40\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (as a value of type ctime<\/code>, not str<\/code>)<\/td>\n<\/tr>\n
.syslog.host<\/code><\/td>\n\"laramie\"<\/code><\/td>\n<\/tr>\n
.syslog.pid<\/code><\/td>\n102<\/td>\n<\/tr>\n
.syslog.prog<\/code><\/td>\n\"sendmail\"<\/code><\/td>\n<\/tr>\n
.syslog.msg<\/code><\/td>\n\"NOQUEUE: SYSERR(root): \/etc\/sendmail.cf: line 0: cannot open: No such file or directory\"<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
How it works<\/h3>\n
At configuration time, the DISSECT<\/code> directive uses its third argument (here, the string \"\/var\/log\/messages\"<\/code>) as a tag<\/em>. There may be several DISSECT<\/code> directives associated to the same pair of modules (here, textfile<\/code><\/a> and\u00a0 syslog<\/code><\/a>), provided they have different tags.\u00a0 This is so that the same dissection module can dissect several different sources of events.<\/p>\n
Remember from the input modules<\/a> page that the last and next-to-last fields in Orchids events play a special role:<\/p>\n