[analog-help] Trouble locating duplicate fields

[Aengus]

On Monday, September 24, 2007 9:06 AM [EDT],
Hunter John <John.Hunter at hiscox.com> wrote:

> Many thanks Aengus.  I hadn't noticed the asterisk.  Analog appears
> to be falling over at the %b 'bytes sent' field, although I'm still
> none the wiser.  Here's the first line in the log, together with the
> first corrupt line in the error file.
>
>
> 10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-"
> "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net
>
> C: 10.44.60.3 - - [09/Sep/2007:01:00:00 +0100] "\x16\x03" 501 298 "-"
> "-" "-:-:-" 1689 0 "-" hsx10prx01.uk-prv.attenda.net
> C:                                                            *
>
> This is my log format:
>
> LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f"
> "%B" "%j:%j:%j" %D %j "%j" %v)

"%j%w%r%wHTTP%j" doesn't match "\x16\x03". It looks like Analog always 
interprets \"%r\" in an APACHELOGFORMAT as "%j%w%r%wHTTP%j", but your web 
server isn't recording the method or the HTTP version in it's %r! Analog put 
the * under the Bytes field because it was told to expect HTTP after 2 
whitespaces (%w) after the first ". So it read the first ", skipped 
everything (%j) until the first whitespace (%w), read 501 as the %r, read 
more whitespace (%w) and then expected to read HTTP but instead saw 298, so 
that's where it marked the *.

If you change the LOGFORMAT to

LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%r" %c %b "%f" "%B" "%j:%j:%j" %D 
%j "%j" %v)

your line will parse (though it has a 501 status code, so it counts as a 
failure, not a successful request.

> Another thing that I've noticed is that despite changing the %t to a
> %j immediately following the %D, I'm getting a '0' in the result
> instead of a '-'!  I thought Analog was supposed to skip %j fields?

I don't understand what you're asking - your logfile has a 0, why are you 
expecting to see a '-' ? Analog completely ignores %j fields, it doesn't 
convert them in to something else.

Aengus