hi, i need your help to write regex. It's my e.g message:
scc_check_file ignored non-ASCII file /etc/sysconfig/auditd: '/etc/sysconfig/auditd: regular file, no read permission'
I want to write if, which checks in part for : (scc_check_file ignored non-ASCII file /etc/sysconfig/auditd) there are no such characters as: \ , / , * , ? , " , < , > , | , space (the character, not the word), , , #
I dont understand what you're trying to do,
can you explain with details ?
also check for grok debugger and https://regex101.com/
value= "scc_check_file ignored non-ASCII file /etc/sysconfig/auditd: '/etc/sysconfig/auditd: regular file, no read permission'"
if [value] (to the mark 
=~ /contains \ , / , * , ? , " , < , > , | , space (the character, not the word), , , #/ {
drop {}
}
but value up to the character :
What about extracting the interesting part first, like:
grok {
match => { "message" => "%{DATA:partial_value}:" }
}
if [partial_value] =~ /[\\\/\*\?\"\<\>\|\s\,\#]/ {
drop{}
}
Obviously you can replace message with value if you've already extracted the value field.
Sounds good to me.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.