About 1/400 log entries I'm feeding logstash will have a forwardslash "/" in it. How do I account for that and prevent a grok failure?
That obviously depends on the data and the grok expression you use.
Field is being matched with %{DATA:incident_type}. Most are plain text, but some of the data has a forwardslash.
Examples:
THIS INCIDENT TYPE
THAT INCIDENT TYPE
ANOTHER INCIDENT TYPE
THIS/THAT INCIDENT TYPE <--doesn't match and throws grok failure.
DATA matches forward slashes. What does the full grok expression and a complete line of input look like?
I found the problem, not related to slashes. Content was changed on the server side. I was using BASE10NUM for a field in the grok pattern the content now possibly includes characters and numbers. I switched it to DATA and all is well. Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.