Skip to content

Quick Start

sat edited this page Jun 26, 2026 · 1 revision

Quick Start

Parse a log line with the default parser and read back the fields.

import log2seq

mes = ("Jan  1 12:34:56 host-device1 system[12345]: "
       "host 2001:0db8:1234::1 (interface:eth0) disconnected")

parser = log2seq.init_parser()      # the default syslog/ISO parser
d = parser.process_line(mes)

process_line returns a plain dict:

d["timestamp"]   # datetime.datetime(2026, 1, 1, 12, 34, 56)
d["host"]        # 'host-device1'
d["message"]     # 'system[12345]: host 2001:0db8:1234::1 (interface:eth0) disconnected'
d["words"]       # ['system', '12345', 'host', '2001:0db8:1234::1',
                 #  'interface', 'eth0', 'disconnected']
d["symbols"]     # ['', '[', ']: ', ' ', ' (', ':', ') ', '']

What you get:

  • timestamp — a datetime. A syslog line has no year, so the default parser fills the current year.
  • host — present because the default rule names an item host; header keys depend on the rule (see Header Rules).
  • message — the body left for the statement stage.
  • words / symbols — the tokenized body. Note 2001:0db8:1234::1 survived as one word: the default parser fixes IP addresses before splitting on :. symbols is always one longer than words.

Process a file line by line:

with open("app.log") as f:
    for line in f:
        d = parser.process_line(line.rstrip("\n"))
        print(d["words"])

A line that matches no header rule raises log2seq.LogParseFailure; build the parser with ignore_failure=True to get None instead. From the shell, the same thing is one command — python -m log2seq app.log — see Practical Patterns.

Next

Clone this wiki locally