Hey there,
i am trying to gather my syslog infos parse them trough a grok filter. But i am getting _grokparsefailure_sysloginput and _grokparsefailure. I am using the following configs:
Surely you don't need both the syslog input and a grok filter? I can't immediately spot any problems with the grok expression in the syslog input. Start simple with ^<%{POSINT:syslog_pri}>and verify that that works, then continue to add more and more to the expression until things break.
It now works. I removed the grok_pattern and used a grok in the filter config. But i am still getting the _grokparsefailure_sysloginput. I will probably remove it in the filter. For documentation reasons my running input and filter.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.