**
The build ID of the run is : 104
**
I have the above line in the message field . I am trying to use Grok filter to extract the entire line to a new field by the name of "filteredValue".
WHat I have tried :
filter {
grok {
match => { "message =>%{{The build ID of the run is %{NUMBER}:filteredValue}}"}
}
}
Please let me know where exactly I am making the mistake. Thank you.
Try
grok { match => { "message" => "^The build ID of the run is : %{NUMBER:filteredValue}" } }Thank you so much for the input. I am able to filter. However, I am not getting the entire line in the field - "filteredValue" . I am getting only the number i.e 104 in the above line.
Is there any way to get the entire line ? Thanks in advance.
If you want the entire event copied to a new field then I would suggest using a conditional to test that it is a line you care about and then using mutate+copy to copy message to some other field.
okay. Thank you. I will try and get back.
@Badger kindly give some input on this : Copy data from a field and make it available for all the documents
Thanks a lot.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.