Community
Participate
Working Groups
The parsing rule for msg CommonBaseEvent property in the Windows event logs adapter files truncates the message at the first semi-colon found. Sometimes the Message value in the event log record contains one or more semi-colons. Each property in the event log record is terminated by a semi-colon but the rule for msg does not account for the case where the Message value contains semi-colons and parses the end of the msg value at the first semi-colon encountered. For example, here is a sample Windows application event log record where the Message contains semi-colons: RecordNumber: 1358; Severity: 20; CreationTime: 10/05/2006 21:56:37.000000; SourceComponent: SCM Client; EventCategory: 0; EventID: 00000000; Username: N/A; Computername: RNSX641; LocationType: Hostname; Message: SCM Client Thu Oct 05 21:56:37 2006 g:\scm5102\src\hc\install\winservice\service.c Line: 953, startServiceApp, HCVCA1018I Process started for C:\PROGRA~1\IBM\SCM\client\..\_jvm\bin\java.exe -classpath ..\jars\client.jar;..\jars\clientPII.jar;..\jars\ITLMToolkit.jar -Djlog.logCmdPort=1953 -Xmx64m -Djava.compiler=NONE com/ibm/test/client/TestClient ;
The resulting msg value from parsing this sample records is: msg="SCM Client Thu Oct 05 21:56:37 2006 g:\scm5102\src\hc\install\winservice\service.c Line: 953, startServiceApp, HCVCA1018I Process started for C:\PROGRA~1\IBM\SCM\client\..\_jvm\bin\java.exe -classpath ..\jars\client.jar" but it should be: msg="SCM Client Thu Oct 05 21:56:37 2006 g:\scm5102\src\hc\install\winservice\service.c Line: 953, startServiceApp, HCVCA1018I Process started for C:\PROGRA~1\IBM\SCM\client\..\_jvm\bin\java.exe -classpath ..\jars\client.jar;..\jars\clientPII.jar;..\jars\ITLMToolkit.jar -Djlog.logCmdPort=1953 -Xmx64m -Djava.compiler=NONE com/ibm/test/client/TestClient"
Targetting this to i3.
This problem was encountered when parsing a Windows Application Event log. To minimize the risk of performance degradation the rule change should only be applied to the Application Event log adapters. Reassigning to Cindy.
Deferring this to 4.4 as it has the potential for regression.
Added sizing.
Targetting to i3 and increasing priority to indicate it is planned for 4.4.
Created attachment 63307 [details] patch file
This is because curently the windows event adapters using the ; as the separator token. The patch changes the separator token from ; to @;@, also the Reader.cpp has been modified to write the log entry with @;@ at then end for each field. Some performance data: Operation system: Windows XP In TPTP4.4 i2 stand alone GLA, to generate the CBEs output for windows application event (2322 records): Start Time= 0:34:11.57 - End Time= 0:34:15.78 spend time = 4.21s With this patch to generate the CBEs output for windows application event (2322 records): Start Time= 0:37:47.84 - End Time= 0:37:52.05 spend time = 4.21s So there is no big time decrease for this fix.
The fix as specified in the patch was committed to TPTP Head CVS. Thanks.
As of TPTP 4.6.0, TPTP is in maintenance mode and focusing on improving quality by resolving relevant enhancements/defects and increasing test coverage through test creation, automation, Build Verification Tests (BVTs), and expanded run-time execution. As part of the TPTP Bugzilla housecleaning process (see http://wiki.eclipse.org/Bugzilla_Housecleaning_Processes), this enhancement/defect is verified/closed by the Project Lead since this originator of this enhancement/defect has an inactive Bugzilla account and considered to be fixed. If this enhancement/defect is still unresolved and reproducible in the latest TPTP release (http://www.eclipse.org/tptp/home/downloads/), please re-open.
