Dear Forum,
i have a problem with parsing grok filter. This is working from command line with a ruby test script like it should:
pattern = "%{PFLTR},?%{PORTS}?,?%{ICMP}?"
It parses the lines and gets the stuff from "%{PFLTR}" (Lets call it base string) and optionally gets the stuff from "?%{PORTS}?,?%{ICMP}?" (lets call it optional string)....All Fields are filled either with values or with empty values.
In the grok file i use in logstash, with the same line, it never respects "?%{PORTS}?,?%{ICMP}?". It only gets the stuff from "%{PFLTR}" and the other fields are just empty.
I would provide more info if necessary. Hope that somebody could give me a hint. Thanks in advance,
regards