Hi, I am currently filtering logs that normaly return this kind of field (among others):
vfs.fs.size[D:,pused]
and my grok for this field is the following:
vfs.fs.size\[%{DATA:disco},pused\]
but for certain machines I got this in the same field:
vmware.vm.vfs.fs.size[{$URL},{HOST.HOST},/var,pused]
and my grok for this is the following:
vmware.vm.vfs.fs.size\[\{\$URL\}\,\{HOST.HOST\}\,%{DATA:disco},pused\]
What would be the best aproach to capture both types of fields?
Two groks whas the solution, don't know if is it the more elegant but it works
grok {
match => ["message", "%{DATA:some_data}"]
match => ["message", "%{DATA:some_data}"]
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.