Hi,
I have logs like that , Wed May 10 02:50:43 2017 Wed May 3 12:23:21 2017
My grok pattern works when they are only 1 space , like the "Wed May 10 02:50:43 2017" but with "Wed May 3 12:23:21 2017", it doesn't work. But when i remove one space, it's operate.
My grok pattern is : SAPROUTER_DATESTAMP (%{SAPROUTER_DAY}%{SAPROUTER_MONTH}%{SAPROUTER_MONTHDAY}%{SAPROUTER_TIME}%{SAPROUTER_YEAR})
Thank you
When I change my grok pattern with a space like that , it works with the 3 may but not with the 10 {SAPROUTER_MONTH} %{SAPROUTER_MONTHDAY}
The problem for you might come from your definition of SAPROUTER_MONTH or SAPROUTER_MONTHDAY which already includes one space. That's why +didn't work (+ means at least one occurence) and the same goes for {1,2}
So \s* might work, as well as \s{0,1} which is equal to \s?.
A space in your definition really defines a space so be carefull with that and do not input extra spaces when not needed
By the way, you might want to clean you pattern not to match extra space. Always tests your patterns beforehand to avoid any errors like this.
(http://grokdebug.herokuapp.com/)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
