Currently i am parsing the tibco log using grok filter
below is logs
2016 Mar 07 04:01:04:145 GMT -8 BW.TESServices-APPTST-TESTServices-APPTST-P13 User [BW-User] - Job-129210119 [UtilityProcesses/CreateAuditTrail.process/Log]: AuditTrail: 129210119|DeviceFlags|||||2016-03-07T04:01:04.145-08:00|TESTServices-APPTST-TESTServices-APPTST-P13|LOC|DeviceID - Device Model|Number|||SSS|12|45455.
IN the grok debugger i am getting partial result but when i forwarding to logstash getting grok failure error.
Any help Please.
You should edit this message and move it to the Logstash category.
Logstash's grok filter doesn't do partial matches. The expression either matches (and then you get all fields) or it doesn't match (and then you get nothing). If that doesn't answer your question you need to post your current grok filter to get help.
%{CISCOTIMESTAMP} GMT %{NUMBER} %{URIHOST} %{CISCO_REASON} %{SYSLOG5424SD:user} - %{URIHOST:jobid} %{SYSLOG5424SD:audit}:%{GREEDYDATA:message}
i am not able to split below things using from audit trail its gives greedy message.
AuditTrail: 129210119|DeviceFlags|||||2016-03-07T04:01:04.145-08:00|TESTServices-APPTST-TESTServices-APPTST-P13|LOC|DeviceID - Device Model|Number|||SSS|12|45455.
i am not able to split below things using from audit trail its gives greedy message.
I don't understand this sentence. Does the grok expression work up until the GREEDYDATA pattern? And you're unsure of how to parse the rest?
sorry for the confusion.
My question is don't know how to parse the rest of the sentence.
You can use the csv filter for that.
Thanks for the reply. Do you have any samples combined with grok filter along with CSV filter?
OR
You are suggesting me to use csv filter for all?
Thanks and Regards
Suresh kumar.A
Use the grok filter to extract the |-separated string into a field of its own (if you want to name that field message remember to set the grok filter's overwrite option), then feed that field through the csv filter.