Hi,
I'm trying to use the best of dissect, unfortunately i have encounter small problem with special characters like "" or "<"
For example:
<14>Jan 9 15:36:03
and
domain_name\username
When i'm parsing this log with fields, i wan't to exclude "<14" and "domain_name\" in the example above.
Do you have any idea how to do this?
As far as dissect is concerned, the only special characters are %{ and }. So if you have a string such as
<14>Jan 9 15:36:03 and domain_name\username and so on
You can dissect it using
dissect { mapping => { "message" => "<%{a}>%{ts} %{+ts} %{+ts} and %{d}\%{u} %{}" } }Thank you that obviously works 
But that creates new question, how to change this parser if there is no domain and username field, its empty, now I have _dissectfailure tag 
I believe its because of the "" character
As the documentation says, you might need to test the format of the string is appropriate for the dissection before dissecting.