Hi,
I have logs like that ,
Wed May 10 02:50:43 2017
Wed May 3 12:23:21 2017
My grok pattern works when they are only 1 space , like the "Wed May 10 02:50:43 2017" but with "Wed May 3 12:23:21 2017", it doesn't work. But when i remove one space, it's operate.
My grok pattern is :
SAPROUTER_DATESTAMP (%{SAPROUTER_DAY}%{SAPROUTER_MONTH}%{SAPROUTER_MONTHDAY}%{SAPROUTER_TIME}%{SAPROUTER_YEAR})
Thank you
When I change my grok pattern with a space like that , it works with the 3 may but not with the 10
{SAPROUTER_MONTH} %{SAPROUTER_MONTHDAY}
PS: I already try '+' and '{1,2}
The problem for you might come from your definition of SAPROUTER_MONTH or SAPROUTER_MONTHDAY which already includes one space. That's why +didn't work (+ means at least one occurence) and the same goes for {1,2}
So \s* might work, as well as \s{0,1} which is equal to \s?.
A space in your definition really defines a space so be carefull with that and do not input extra spaces when not needed
But... Wed May 3 12:23:21 2017 doesn't have any double spaces. The problem appears to be with your SAPROUTER_MONTHDAY pattern.
He had, I fail CC but he had double space 
By the way, you might want to clean you pattern not to match extra space. Always tests your patterns beforehand to avoid any errors like this.
(http://grokdebug.herokuapp.com/)
Yes I already try but It doesn't take into account the space (my pattern worked on this site) 
Correctly works for me. Maybe just like here, double space wasn't properly add, or forgotten a space in your pattern, etc.
Anyway, pay attention to this.
Yes maybe,
Thanks again !
