Hi all, i have some log as following template:
1925/05/01;2019-07-23;00:00:55.193;[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458
I am using following filter in logstash script:
filter {
csv {
columns => ["ODate", "Date", "Time", "message"]
separator => ";"
}
if ("MD" and "CR" in [message]) {
grok {
match => { "message" => "\[\[%{SPACE}\(%{WORD:cn}\)%{SPACE}%{NUMBER:ID1}%{SPACE}CR=%{NUMBER:so};AC=%{WORD:Ac1};%{GREEDYDATA:other_message}"
}
}
}
when the logstash has been started leads to following result:
{
"ODate" => "1925/05/01",
"column6" => "Id=2458",
"@version" => "1",
"path" => "F:/1.log",
"Time" => "00:01:48.130",
"host" => "myhost",
"@timestamp" => 2019-08-29T07:58:18.402Z,
"message" => "[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458",
"column5" => "AC=TLK",
"tags" => [
[0] "_grokparsefailure"
],
"Date" => "2019-07-23"
}
while I want it be as following:
{
"ODate" => "1925/05/01",
"other_message" => "Id=2458",
"@version" => "1",
"path" => "F:/1.log",
"Time" => "00:01:48.130",
"host" => "myhost",
"@timestamp" => 2019-08-29T07:58:18.402Z,
"message" => "[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458",
"Ac1" => "TLK",
"cn" => "MD"
"ID1" => "19915478"
"so" => "25895"
"Date" => "2019-07-23"
}
any advise will be so appreciated