Grok Pattern that captures lines\events that starts with a specific text


(Shah) #1

I have a pattern word that appears multiple times in my logs. I want to set a tag for those lines which starts with a nonspace + the pattern text + Any data.

Following is a snippet from my log

Changeset:          http://hg.frairy.sams.net/jdk/hs-comp/rev/94f9
Changeset:          http://hg.frairy.sams.net/jdk/hs-comp/rev/f3827
Word :
Failures:
   This is Changeset: xyz

I tried following grok but is not working as I expected

 %{NOTSPACE}Changeset:%{SPACE}%{URI}
 Changeset:%{SPACE}%{GREEDYDATA}

I cannot use the second one as it may match other lines that has "Changeset: " text.

Need help with a grok that a line start with no space + Changeset: + Any data after that


(Magnus B├Ąck) #2

This should work:

^Changeset:%{SPACE}%{URI}

Your first attempt doesn't work because NOTSPACE is defined as \S+, and the line you want to match doesn't contain at least one non-space character before "Changeset:".


(system) #3