I have a log file with ~500 lines and I need to extract a few lines. One of the lines I want to extract is: pullrequest=pull request number . Could someone tell me what custom grok pattern I should use to 'only' extract the pull request number? Now I am using the following expression: pullrequest\s*=\s*.?$ .
This expression gives me the whole line, but like I said, I only want the number. With some help of this forum and the grok debugger I created the following expression: (?<=pullrequest=). .
This expression is working fine within the debugger, but unfortunately I am getting a _grokparsefailure if I use it within my logstash config.
Okay, and what's the problem with using an expression like the one I gave? Do you have the complete log in a single Logstash event or do you have one event per line?
As you can see I have an ouput of two lines, while I only need the the second one.
Your question: Do you have the complete log in a single Logstash event or do you have one event per line?
Answer: It's one log file with ~500 lines with the following input config:
Oeps, my bad: I used your expression as a custom pattern. Now I am just using the following config and it works as expected:
match => {"message" => "pullrequest=%{INT:pullrequest}$"}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
