Basic regex failing in ad hoc query



Does not work:


I don't understand?

Hmm, works fine for me. Can you share the mapping for the fields you are hoping this would match, along with some samples of the data?

A big part of all the problems I've been posting is that I cannot share any sample data. It contains PII. I will try to answer generically though:

The messages are broken into a HUGE amount of fields, but I don't know how that is relevant? I mean after all the original message is still in there right? Does ad hoc query not check the full message? Side question: Please clear up my understanding on that!

Here are the contents of the relevant field labeled "details" (with dummy data) that I would hope would match the string I'm looking for:

Redis Service Message Received - Host: Channel: bigbluebutton:meeting:presentation Message: {"timestamp":"1487992173554","slideNumber":"0","windowId":"","meetingId":"b3f9ed2c840cb91fcba0ba24da2bba0c6d079e19bf1cfcddbe7b0d17e935d13f-1487992156990","messageId":"PRESENTATION_PAGE_CHANGED","presentationName":"default"}

This ad hoc query also fails:


Here is the grok pattern in my Logstash (sub patterns excluded to keep this as small as possible. Can provide on request):

RELEVANT_MATCH ^%{LOG_COMMON} %{TIMESTAMP_ISO8601:event_time}%{NOTSPACE}%{SPACE}%{LOGLEVEL:severity} T[(%{NOTSPACE} - %{HTTP_REQUEST:http_request}|%{PROG})] %{JAVACLASS:JAVACLASS:java_class}: ((%{BASE16NUM} )?getMeetingInfo ?meetingID=%{USERNAME:meetingID}&password=%{USERNAME:password}( %{BASE16NUM})?|%{GREEDYDATA:details})$

In this case it's matching a Redis log entry so I'm concerned with the field that has the "details" label.

What version of the stack are you using?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.