Hi,
I'm trying to use the best of dissect, unfortunately i have encounter small problem with special characters like "" or "<"
For example:
<14>Jan 9 15:36:03
and
domain_name\username
When i'm parsing this log with fields, i wan't to exclude "<14" and "domain_name\" in the example above.
Do you have any idea how to do this?
As far as dissect is concerned, the only special characters are %{ and }. So if you have a string such as
<14>Jan 9 15:36:03 and domain_name\username and so on
You can dissect it using
dissect { mapping => { "message" => "<%{a}>%{ts} %{+ts} %{+ts} and %{d}\%{u} %{}" } }Thank you that obviously works 
But that creates new question, how to change this parser if there is no domain and username field, its empty, now I have _dissectfailure tag 
I believe its because of the "" character
As the documentation says, you might need to test the format of the string is appropriate for the dissection before dissecting.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.