Grox help

Billy_F · November 24, 2014, 5:16pm

Need some grox help. I'm using groxdebug and I cannot figure out what I'm
doing wrong here.

Raw message:

<166>raslogd: 2014/11/21-15:07:14, [SEC-1203], 6643, WWN
10:00:00:27:f2:9a:8d:7f | FID 128

What I have so far for the parse......

<%{INT:syslog_pri}>%{WORD:facility}:
(?%{YEAR}/%{MONTHNUM}/%{MONTHDAY}-%{TIME}),
[(?<MSG_ID>%{WORD}-%{INT})], %{INT:SEQUENCE}, WWN %{IPV6:WWN} |
(?%{WORD} %{INT})

Everything works fine until I get to the end "FID 128" and I get nothing
but a null. Even if I just do %{WORD} to get "FID" it still give me a
null value in groxdebug.

I'm missing something basic here.

Thanks,

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/23230299-b877-4f24-a157-c5b2d4b246da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Billy_F · November 24, 2014, 7:09pm

arrrg. forgot to escape the |.

On Monday, November 24, 2014 12:16:05 PM UTC-5, Billy F wrote:

Need some grox help. I'm using groxdebug and I cannot figure out what I'm
doing wrong here.

Raw message:

<166>raslogd: 2014/11/21-15:07:14, [SEC-1203], 6643, WWN
10:00:00:27:f2:9a:8d:7f | FID 128

What I have so far for the parse......

<%{INT:syslog_pri}>%{WORD:facility}:
(?%{YEAR}/%{MONTHNUM}/%{MONTHDAY}-%{TIME}),
[(?<MSG_ID>%{WORD}-%{INT})], %{INT:SEQUENCE}, WWN %{IPV6:WWN} |
(?%{WORD} %{INT})

Everything works fine until I get to the end "FID 128" and I get nothing
but a null. Even if I just do %{WORD} to get "FID" it still give me a
null value in groxdebug.

I'm missing something basic here.

Thanks,

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/fe41cbb3-1552-4b9a-ba39-fc59c1b0c403%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

magnusbaeck · November 24, 2014, 7:43pm

On Monday, November 24, 2014 at 20:09 CET,
Billy F billyfurlong@gmail.com wrote:

arrrg. forgot to escape the |.

Excellent! Next time, please keep in mind that the logstash-users list
is a better fit for grok questions than the elasticsearch list.

--
Magnus Bäck | Software Engineer, Development Tools
magnus.back@sonymobile.com | Sony Mobile Communications

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/20141124194331.GA8664%40seldlx20533.corpusers.net.
For more options, visit https://groups.google.com/d/optout.