Help to create new field from message

Panplumousse · March 2, 2022, 1:58pm

Hello every body,

I m looking for a way (maybe with grok, probably with grok ), to create new field by extracting some specifique pattern but with keeping the field message without modification after operation

Example:
2022-03-02 13:16:49.199 DEBUG --- [ool-2-thread-34] c.i.c.b.u.s.CommonSlackService : SR-MODIFY-DISK:jjcb SRID:631221 ServiceTask_1gqecng:e25 [SLACK] Sending message: FATAL Error! Processing of SR-MODIFY-DISK for businessKey SRID:631221 For more details, follow this lin

Need to create new field SRID with value 631221

thx a lot for help

Badger · March 2, 2022, 6:25pm

Try

grok { match => { "message" => "SRID:%{NUMBER:SRID}" } }

Panplumousse · March 3, 2022, 12:36pm

Thx you it works

system · March 31, 2022, 12:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.