Hi!
Im ingesting .txt-files containing navtex-messages (see example below). Each message comes in a separate .txt-file appearing continuously over 24h landning in a sub-directory with the current date.
input {
file {
path => "/navtex/*/*.txt"
start_position => "beginning"
mode => "read"
codec => multiline {
pattern => "^Spalzani"
negate => true
what => "previous"
auto_flush_interval => 1
}
}
}
Ingestion works ok. Each message gets indexed looking good.
But i can not get a grok working correctly. I need to get grok the row containing "NAV WARNING" and it almost works.
match => { "message" => "^%{DATA:nav_warn_location} NAV WARN %{NUMBER:nav_warn_id}(/%{NUMBER:year})?" }
The above gives "nav_warn_id : 552" and "year : 21", but the ^%{DATA:nav_warn_location} Takes the whole beginning of the message not considering the start of the row.
Navtex Bulletin Received (UTC):
2021-12-19 17:30:38
ZCZC JA67
111050 UTC DEC
GERMAN
Expected output would be "nav_warn_location : GERMAN"
It works when i try it in the dev-tools, but it has probably something to do with the multiline stuff.
Beginner in this so probably something im missing... Any clues?
Navtex Bulletin Received (UTC):
2021-12-19 17:30:38
ZCZC JA67
111050 UTC DEC
GERMAN NAV WARN 552/21
WESTERN BALTIC.DECLARED AREA TODENDORF/PUTLOS.
SEVERAL CAUTION AREA BUOYS TEMPORARILY REMOVED.
NNNN