Hello ... me again... I am trying to apply a grok filter to the following:
Time: 9/20/2017 11:11:01 AM MSG: Somedata Severity: Critical somedata
I first attempted to parse the time stamp and the Serverity using:
TIMESTAMP %{DATE_US} %{TIME} (AM|PM)
sisoutput %{WORD}: %{TIMESTAMP:logtime2} %{GREEDYDATA}] %{WORD}: %{WORD:severity}
I have had issues parsing out timestamps logstash for months now. Even though i test it out to the terminal or on the grok debugger page and it shows the data parsed out I have had no luck.
So i decided to just parse out the whole message using GREEDYDATA ... i am still getting grokparse failure. Now can someone explain why that would happen?
We are sending alot of data to elastic for this particular index ... would that cause issue in logstash?
Like we're bombarding elastic with "too much data" that it can't handle it?
Is there something i need to add to my logstash servers to handle the load?
I am truly perplexed by this ... how is it not parsing out the message with just %{GREEDYDATA:whole_message}
Pattern:
sisoutput %{GREEDYDATA:whole_message}
Thanks again for all the help thus far.
