Hello,
The following strings successfully parsed at grok debugger:
<174>ddsh: {epoch=1553696401;id='AUDIT-DDSH-00001';desc='DDSH CLI command';level=3;user='root';role='se';app='ddsh';host='ddem';detail='cmd=cifs show detailed-stats';}
<174>-ddsh: {epoch=1553698006;id='AUDIT-DDSH-00001';desc='DDSH CLI command';level=3;user='sysadmin';role='admin';app='ddsh';host='ddem';detail='cmd=exit';}
with pattern like this:
-
<%{NONNEGINT:syslog_pri}>(-|)%{WORD:[syslog][program]}: {epoch=%{NUMBER:[syslog][epoch_timestamp]};id='%{DATA:[syslog][program_id]}';desc='%{DATA:[syslog][program][desc]}';level=%{NUMBER:[syslog][program][level]};user='%{WORD:[syslog][program][user]}';role='%{WORD:[syslog][program][role]}';app='%{WORD:[syslog][program][app]}';host='%{WORD:[syslog][program][host]}';detail='%{DATA:[syslog][program][detail]}';}
-
but when I put this pattern to the filter section I've got the "_grokparsefailure".
I noticed that failure starts at "id=" part of the string, so I've changed patterns [1][2][3] to [1][2_3]:
-
<%{NONNEGINT:syslog_pri}>(-|)%{WORD:[syslog][program]}: {epoch=%{NUMBER:[syslog][epoch_timestamp]};id='%{DATA:[syslog][program_id]}';desc='%{DATA:[syslog][program_desc]}';level=%{NUMBER:[syslog][program_level]};user='%{WORD:[syslog][program_user]}';role='%{WORD:[syslog][program_role]}';app='%{WORD:[syslog][program_app]}';host='%{WORD:[syslog][program_host]}';detail='%{DATA:[syslog][program_detail]}';}
-
and it works now.
Could you explain what is the problem with using [1][2][3] pattern?
brg,
Serhiy.