Many thanks Aengus. I hadn't noticed the asterisk. Analog appears to be falling over at the %b 'bytes sent' field, although I'm still none the wiser. Here's the first line in the log, together with the first corrupt line in the error file.
10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-" "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net C: 10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-" "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net C: * This is my log format: LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" "%B" "%j:%j:%j" %D %j "%j" %v) Another thing that I've noticed is that despite changing the %t to a %j immediately following the %D, I'm getting a '0' in the result instead of a '-'! I thought Analog was supposed to skip %j fields? Regards, John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aengus Sent: 24 September 2007 13:32 To: Support for analog web log analyzer Subject: Re: [analog-help] Trouble locating duplicate fields On Monday, September 24, 2007 8:14 AM [EDT], Hunter John <[EMAIL PROTECTED]> wrote: > I'm trying to analyze Apache logs with the following format: > > APACHELOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" > \"%{SSL_PROTOCOL}x:%{SSL_CIPHER}x:%{SSL_SESSION_ID}x\" %D %T > \"%{Cookie}i\" %v) > > Analog's debug tells me that one item occurs twice in the translated > format of: > > LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" > "%B" "%j:%j:%j" %D %t "%j" %v) > > The only thing that seemed to be duplicated were the %D and %t fields > so I replaced %t with %j and re-ran with the new LOGFORMAT. Analog > now runs but the error file soon starts to fill up and every single > line of the log is marked as corrupt. No matter what I try I don't > seem to be able to read these logs. > > Can anyone tell me what I'm doing wrong please? If you set DEBUG ON, Analog will print a line with an asterisk under the first element of the logfile entry that it can't match to the LOGFORMAT. Or you can post 2 or 3 sample lines here. Aengus +----------------------------------------------------------------------- +- | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html List | archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +----------------------------------------------------------------------- +- ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. No one else is authorised to distribute, forward, print, copy or act upon any information contained in this email. If you have received this email in error, please notify the sender. Hiscox Syndicates Limited, Hiscox Insurance Company Limited, Hiscox Underwriting Limited and Hiscox Investment Management Limited are authorised and regulated by the Financial Services Authority. Hiscox plc is a company registered in England and Wales under company registration number 2837811 and registered office at 1 Great St Helen's, London EC3A 6HX ********************************************************************** +------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html | List archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +------------------------------------------------------------------------
