Hi,
i have following GrokFilter extract:
[%{WORD:result}]\s+[Warnings: %{WORD:WarningCount}]|[%{WORD:result}]\s*[Warnings: %{WORD:WarningCount}]\s*[Errors: %{WORD:ErrorCount}]\s*[Exceptions: %{WORD:ExceptionCount}]
For following Log Message:
[Error] [Warnings: 7] [Errors: 0] [Exceptions: 1]
[OK] [Warnings: 7]
But now logstash does not recongnize the fields ErrorCount and ExceptionCount? Why is that so? What can i do?
Other data fields are recognized like WarningCount and result ...
I'm assuming you have backslashes before the square brackets, i.e. \[Warnings: ...\]? Next time make sure you format your regular expressions as code to avoid having e.g. backslashes stripped.
The problem could be that you don't have any parentheses to limit the effects of |. You probably want something like this:
\[%{WORD:result}]\s+(\[Warnings: ...\]|...)
But instead of listing all alternatives I'd actually prefer this:
\[%{WORD:result}]\s+ \[Warnings: ...\]( \[Errors: ...\])?( \[Exceptions: ...\])?Thank you very much that helped.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.