Hello All,
could you please help us to get the desire out put my logs usign the logstash groke filter
My Logformat id :"Apr 17 15:20:01 wiki-jira CROND[8769]: (root) CMD (/usr/lib64/sa/sa1 1 1)"
I want get the out as " CMD (/usr/lib64/sa/sa1 1 1)" ..
I tried the several ways but no luck to me .. Pleasae suggest us how to do ?
thanks
jagdish
Have you looked at the syslog example in the documentation?
https://www.elastic.co/guide/en/logstash/current/config-examples.html
And try this!
http://grokconstructor.appspot.com/
I came up with that in 1 min. You can use the mutate filter to remove fields
%{CISCOTIMESTAMP}%{SPACE}%{NOTSPACE}%{CRON_ACTION}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{CRON_ACTION}%{GREEDYDATA:your_field}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.