Hello, I have now set up a pipeline and defined a GROK pattern. It is working. However, the logs that do not match the pattern are not displayed. How could I define a simple second pattern to catch the remaining logs?
Hello hta,
You could add a %{GREEDYDATA:data} after your own Grok pattern. This should catch all.
Example:
"patterns": [
"User %{USERNAME:user.name} %{GREEDYDATA:event.action} via %{WORD:ui} from %{IP:source.ip} using %{WORD:event.provider}",
"User %{USERNAME:user.name} %{GREEDYDATA:event.action} via %{WORD:ui} from %{IP:source.ip}",
"User %{USERNAME:user.name} %{GREEDYDATA:event.action}",
"%{GREEDYDATA:data}"
]
The first three would extract data from events and map that to specific fields. The fourth entry is the catchall and maps it to the "data" field.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.