Works:
+"meetingId"
Does not work:
+/meetingId/
I don't understand?
Hmm, works fine for me. Can you share the mapping for the fields you are hoping this would match, along with some samples of the data?
A big part of all the problems I've been posting is that I cannot share any sample data. It contains PII. I will try to answer generically though:
The messages are broken into a HUGE amount of fields, but I don't know how that is relevant? I mean after all the original message is still in there right? Does ad hoc query not check the full message? Side question: Please clear up my understanding on that!
Here are the contents of the relevant field labeled "details" (with dummy data) that I would hope would match the string I'm looking for:
Redis Service Message Received - Host: dummy.server.com:6379 Channel: bigbluebutton:meeting:presentation Message: {"timestamp":"1487992173554","slideNumber":"0","windowId":"","meetingId":"b3f9ed2c840cb91fcba0ba24da2bba0c6d079e19bf1cfcddbe7b0d17e935d13f-1487992156990","messageId":"PRESENTATION_PAGE_CHANGED","presentationName":"default"}
This ad hoc query also fails:
+/.*meetingId.*/
Here is the grok pattern in my Logstash (sub patterns excluded to keep this as small as possible. Can provide on request):
RELEVANT_MATCH ^%{LOG_COMMON} %{TIMESTAMP_ISO8601:event_time}%{NOTSPACE}%{SPACE}%{LOGLEVEL:severity} T[(%{NOTSPACE} - %{HTTP_REQUEST:http_request}|%{PROG})] %{JAVACLASS:JAVACLASS:java_class}: ((%{BASE16NUM} )?getMeetingInfo ?meetingID=%{USERNAME:meetingID}&password=%{USERNAME:password}( %{BASE16NUM})?|%{GREEDYDATA:details})$
In this case it's matching a Redis log entry so I'm concerned with the field that has the "details" label.
What version of the stack are you using?
logstash-5.2.2-1.noarch
elasticsearch-5.2.1-1.noarch
kibana-5.2.1-1.x86_64
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.