I have logs coming in from coreos nodes via filebeat, the "source" field is of the general form: /var/log/containers/<name of container>-<some alphanumeric string I don't care about>
I'd like to parse the part after /var/log/containers/, and have found that the regex ^(\w+\b-\w+\b) should pull out the part I need. I have put this into a file in the pattern_dir.
Now, I've noticed that I have to match a different regex in the <name of container> part of the string, but I guess that's beyond the scope of this thread
Actually, one further question - why does this work? We only want the alphanumeric words at the beginning, so why doesn't it match everything like the various regex checkers I've found online say it should?
OK, after some playing around, I need more help
I changed my regex to this:
CONTAINERAPP .+?(?=-\d)
As I need to match everything up to some digits. I now don't even get an "app" tag being sent to logstash..
I have looked at this again, and grok still seem s not to work with this particular regex. with others it works, but of course it does not match the pattern I want it to.
I have looked at Grok debugger, plugging in the relevant values, and it gives me the output:
(note the trailing hyphen). Even better, it works when I test in logstash. That's what's confusing me here: why does the previous one work in the grok debugger, but fail when I try it in logstash?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.