filter {
#we tells logstash to lookup for the csv if tags field contains windowsregistry string
if [tags] =~ "windowsregistry" {
grok { match => { "[winlog][event_data][ObjectName]" => "\\REGISTRY\%{WORD:[winlog][event_data][RegistryType]}\\%{WORD:[winlog][event_data][RegistryHiveType]}\\" } }
}
}
I've tried with double \\ or simple \ or even \\\\ but none of them works. Do you have any ideas ?
Also Logstash in its error logs, read the escape \ as if its doubled amount.
If I double \\ logstash reads \\\\, If I \\\\ logstash reads \\\\\\\\
Note: I'm migrating from previous solution Graylogs where grok patterns used is this one (with \\\\ as escape:
match => { "[winlog][event_data][ObjectName]" => "\\REGISTRY\\%{WORD:[winlog][event_data][RegistryType]}\\%{WORD:[winlog][event_data][RegistryHiveType]}\\."
Note the second backslash after REGISTRY, and the . added at the end of the pattern. You cannot escape a backslash at the end of a quoted string. The configuration parser will always interpret that as escaping the quote. So ...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.