Filebeat ingest pipeline grok pattern


(vijay kannan) #1

in path location /usr/share/filebeat/module/system/syslog/ingest/pipeline.json following pattern code grok pattern is confusing. why the double slash \\ comes for [%{POSINT:system.syslog.pid}\]

                        "grok": {
                            "field": "message",
                            "patterns": [
                                    "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\\[%{POSINT:system.syslog.pid}\\])?: %{GREEDYMULTILINE:system.syslog.message}",

(Vikas) #2

I think this is how the data pattern would be.If possible can you post the log related to that grok pattern.


(vijay kannan) #3

\\ matches literly \ but in the line it doesn't has \


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.