topic Re: How do I consume an MS EntLib LAB file? in Getting Data In

How do I consume an MS EntLib LAB file?

Alan_Bradley — Sat, 20 Mar 2010 00:22:43 GMT

In the past we've always logged all of our applications to SQL. We've used a variety of ways to do that, including home-grown and now Microsoft Enterprise Library Logging Application Block (LAB). Log4Net is also in the picture. We have LAB set to crank out files to a rolling file appender. So, pretty standard, each day, new file. The entries look like this currently:

-----
Timestamp: 9/22/2009 4:50:04 PM Message: MPP LAB says the app is starting. Category: General Priority: -1 EventId: 1 Severity: Information Title: Machine: VDEVAPP2 Application Domain: /LM/W3SVC/1/ROOT-4-128981118015194687 Process Id: 2724 Process Name: c:\windows\system32\inetsrv\w3wp.exe Win32 Thread Id: 4052 Thread Name: Extended Properties: 
-----

Easy enough to have Splunk read these files, but obviously we want to have every line (Fieldname:value) parsed as fields in Splunk. A complete entry is bracketed by the ----- lines. How do I go about this?

Re: How do I consume an MS EntLib LAB file?

jrodman — Thu, 25 Mar 2010 02:24:45 GMT

I think somehow answers has killed your formatting.

I'm guessing this looks like:

----
Timestamp: 9/22/2009 4:50:04 PM
Message:MPP Lab says the app...
Category: blah blah 
----
Timestamp: ...

Seems like a cruel joke to have this big logging infrastructure that then creates timestamps in an ambiguous date format. But that aside, There's various ways to handle this.

You can split the events by using the BREAK_ONLY_BEFORE and similar options, or you can use a clumsier but faster approach of changing our LINE_BREAKER from the default of ([\r\n]+) to something like ([\r\n]+----[\r\n]+) At that point you'd add in SHOULD_LINEMERGE=false, and splunk will then enforce that each block of text between that four dashed line will be treated as a single block of text.

To extract the fields, you can use a repeat-match searchtime regex, in multiline mode, that matches something like ^([^:]*): (.*)$ with a FORMAT of $1::$2 Ie. for each line, the text before the first colon is the field name, and the text after the colon and the space is the value.

This is all assuming the file is a text file, and not a complex binary format that happens to have text blobs in it somewhere.

Re: How do I consume an MS EntLib LAB file?

gkanapathy — Tue, 06 Apr 2010 01:28:08 GMT

Note that this format is very similar to the extractions done to Splunk's own Windows Event Logs. You can look in the etc/system/default/transforms.conf file at the wel-col-kv extraction (which is called on WinEventLog... and WMI... sources) for hints.

Re: How do I consume an MS EntLib LAB file?

bsayatovic — Mon, 28 Sep 2020 18:19:30 GMT

I've struggled with the same thing. My format is similar except my events are bounded by "----START----" and "--------------". I set my props up like this:

[iis-entlib-delim]
SHOULD_LINEMERGE=false
LINE_BREAKER=(-+START-+)
BREAK_ONLY_BEFORE_DATE = false

BREAK_ONLY_BEFORE = ^-+START-+$

MUST_BREAK_AFTER = -+END-+

For the most part, it works. However, some of my events don't get broken at the proper boundary. I still don't know why. As you can see, I've been trying some different things, but nothing yet has solved it. I have an open case with Splunk about this.