hi, i need your help to write regex. It's my e.g message:
scc_check_file ignored non-ASCII file /etc/sysconfig/auditd: '/etc/sysconfig/auditd: regular file, no read permission'
I want to write if, which checks in part for : (scc_check_file ignored non-ASCII file /etc/sysconfig/auditd) there are no such characters as: \ , / , * , ? , " , < , > , | , space (the character, not the word), , , #
I dont understand what you're trying to do,
can you explain with details ?
also check for grok debugger and https://regex101.com/
value= "scc_check_file ignored non-ASCII file /etc/sysconfig/auditd: '/etc/sysconfig/auditd: regular file, no read permission'"
if [value] (to the mark 
=~ /contains \ , / , * , ? , " , < , > , | , space (the character, not the word), , , #/ {
drop {}
}
but value up to the character :
What about extracting the interesting part first, like:
grok {
match => { "message" => "%{DATA:partial_value}:" }
}
if [partial_value] =~ /[\\\/\*\?\"\<\>\|\s\,\#]/ {
drop{}
}
Obviously you can replace message with value if you've already extracted the value field.
Sounds good to me.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.