Many thanks again Aengus. I've learnt more about Analog in the last couple of emails from you than I ever hoped to from the documentation.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aengus Sent: 24 September 2007 14:41 To: Support for analog web log analyzer Subject: Re: [analog-help] Trouble locating duplicate fields On Monday, September 24, 2007 9:06 AM [EDT], Hunter John <[EMAIL PROTECTED]> wrote: > Many thanks Aengus. I hadn't noticed the asterisk. Analog appears to > be falling over at the %b 'bytes sent' field, although I'm still none > the wiser. Here's the first line in the log, together with the first > corrupt line in the error file. > > > 10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-" > "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net > > C: 10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-" > "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net > C: * > > This is my log format: > > LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" > "%B" "%j:%j:%j" %D %j "%j" %v) "%j%w%r%wHTTP%j" doesn't match "\x16\x03". It looks like Analog always interprets \"%r\" in an APACHELOGFORMAT as "%j%w%r%wHTTP%j", but your web server isn't recording the method or the HTTP version in it's %r! Analog put the * under the Bytes field because it was told to expect HTTP after 2 whitespaces (%w) after the first ". So it read the first ", skipped everything (%j) until the first whitespace (%w), read 501 as the %r, read more whitespace (%w) and then expected to read HTTP but instead saw 298, so that's where it marked the *. If you change the LOGFORMAT to LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%r" %c %b "%f" "%B" "%j:%j:%j" %D %j "%j" %v) your line will parse (though it has a 501 status code, so it counts as a failure, not a successful request. > Another thing that I've noticed is that despite changing the %t to a > %j immediately following the %D, I'm getting a '0' in the result > instead of a '-'! I thought Analog was supposed to skip %j fields? I don't understand what you're asking - your logfile has a 0, why are you expecting to see a '-' ? Analog completely ignores %j fields, it doesn't convert them in to something else. Aengus +----------------------------------------------------------------------- +- | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html List | archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +----------------------------------------------------------------------- +- ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. No one else is authorised to distribute, forward, print, copy or act upon any information contained in this email. If you have received this email in error, please notify the sender. Hiscox Syndicates Limited, Hiscox Insurance Company Limited, Hiscox Underwriting Limited and Hiscox Investment Management Limited are authorised and regulated by the Financial Services Authority. Hiscox plc is a company registered in England and Wales under company registration number 2837811 and registered office at 1 Great St Helen's, London EC3A 6HX ********************************************************************** +------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html | List archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +------------------------------------------------------------------------
