11 Apr 2018 10:40:11,306 | WARN | TalendMP1555Prod | rg.apache.camel.util.CamelLogger 182 | 161 - org.apache.camel.camel-core - 2.15.4 | A20180411.1015+0100-1030+0100_15310.xml.gz
For this grok pattern is creeating an issue.
%{S3_REQUEST_LINE} %{CISCO_REASON} %{SPACE} %{S3_REQUEST_LINE} %{SPACE} %{S3_REQUEST_LINE} %{SPACE} %{S3_REQUEST_LINE} %{CISCO_REASON} %{SPACE} %{S3_REQUEST_LINE} %{SPACE} %{S3_REQUEST_LINE} %{SPACE} %{S3_REQUEST_LINE} %{SPACE} %{S3_REQUEST_LINE} %{CISCO_REASON} %{JAVALOGMESSAGE}
atira
(Attila Boncok)
April 18, 2018, 3:11pm
2
%{S3_REQUEST_LINE} %{CISCO_REASON}
etc. seem to be custom patterns.
Did you define them?
Here are the default grok patterns for logstash.
Also, the input message has | in it, which you don't seem to handle.
By the way, since | seems to be functioning as a delimiter, using the dissect filter would be easier and also more efficient performance-wise.
edit: oh, or is %{S3_REQUEST_LINE} == "|" ?
Ho wcan we write pattern for the full line.
atira
(Attila Boncok)
April 18, 2018, 7:01pm
4
I've never done dissect before, but let's see.
dissect {
mapping => {
"message" => "%{field1} | %{field2} | %{field3} | %{field4} | %{field5} | %{field6}"
}
}
Name the fields field1, field2... etc. how you want to.
You can create more fields if you want to. Eg. with the dissect above field4 would look like this:
[field4] = "rg.apache.camel.util.CamelLogger 182"
system
(system)
Closed
May 16, 2018, 7:01pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.