i tried to make grok pattern:
PODPISY (?:[\s\S]*?</podpisy>)
it's based on REGEX:
http://regexr.com/3fbti
and it works as it should.
I use it in config like that:
filter{
grok { match => { "message" => "%{PODPISY}" }}
}
A log appeared that head inside message something like:
aaaaaaaaaaaaaaaaaaaazazafrthjrfjr3523
but still i got _grokparsefailure tag and i don't have any additional field.
Finally i want delete this part of text from message.
Finally i want delete this part of text from message.
Sounds like the mutate filter's gsub option might be a better match than grok.
I will check that:
gsub => [
"message", "<podpisy>[\\s\\S]*?<\\/podpisy>", "podpis"
]
this does not seem to work. I tried to escape / in my regex.
As mentioned here: mutate | Logstash Reference [1.5] | Elastic
It works without escaping.
Can you tell me why i get _grokparsefailure tag and i don't have any additional field ?
Is something wrong with my config / grok ?
Also this part of xml is only part of the field. I don't want to cut everything. I want to cut part of it and leave the rest.
I use Logstash 1.4.2
Kibana 3
ES 1.4.0
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.