Hi ,
with below config
input {
beats {
port => 5044
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
}
}
filter {
grok {
match => { "message" => "\[(%{TIMESTAMP_ISO8601:timestamp_match})\]%{SPACE}:|:%{SPACE}(?:\s+%{WORD:level})?%{SPACE}:|:%{SPACE}(?:\s+%{USERNAME:hostname})?%{SPACE}:|:%{SPACE}(?:\s+%{GREEDYDATA:coidkey})?%{SPACE}:|:%{SPACE}(?:\s+%{GREEDYDATA:clientinfo})?%{SPACE}:|:%{SPACE}(?:\s+%{IP:clientip})?%{SPACE}:|:%{SPACE}(?:\s+%{GREEDYDATA:Url})?%{SPACE}:|:%{SPACE}(?:\s+%{JAVACLASS:class})?%{SPACE}:|:%{SPACE}%{USER:ident}%{SPACE}(?:\s+%{GREEDYDATA:msg})?$"}
}
}
output {
stdout { codec => rubydebug }
My grok does not work .
If i replace (%{TIMESTAMP_ISO8601:timestamp}) for ^(?[[^]]*]) then it excludes the square brackets [ ] not fails to identify . can someone suggest how i can include the square brackets