Help with custom pattern

Hi guys,

i'm trying to put parse a JDE log but i keep having a _grokparsefailure and i really don't see where my problem is.

Here's what i have

filter {
        grok {
                pattern_definitions => { "JDEPROCESS" => "([0-9]{2,5})"
                                          "JDEMESSAGE" => "(.*)"
                                          "JDESUBPROCESS" => "([0-9]{2,5})"
                                          "JDEDATE" => "([A-Z][a-z]{3} [A-Z][a-z]{3} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6})"
                                          "JDESPACE" => "( *)"
                                          "JDETAB"  => "(\t)"
                }
                 match => { "message" => "%{JDEPROCESS:jdeprocess}\/%{JDESUBPROCESS:jdesubprocess}%{JDETAB:jdetab}%{JDEMESSAGE:jdemessage}"}
        }#Close Grok

And my log input is like this :

 10944/8816	Thu Aug 20 10:32:27.004000		ipcmisc.c348

any idea?

Regards

Nevermind some coffee did the trick

 filter {
        grok {
                pattern_definitions => { "JDEPROCESS" => "([0-9]{2,5})"
                                          "JDEMESSAGE" => "(.*)"
                                          "JDESUBPROCESS" => "([0-9]{2,5})"
                                          "JDEDATE" => "([A-Za-z]{3}.[A-Za-z]{3}.[0-9]{2}.[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6})"
                                          "JDESPACE" => "( *)"
                                          "JDETAB"  => "(\t)"
                }
                 match => { "message" => "%{JDEPROCESS:jdeprocess}\/%{JDESUBPROCESS:jdesubprocess}%{SPACE}\t%{JDEDATE:jdetimestamp}%{SPACE}\t%{JDEMESSAGE:jdemessage}"}
        }#Close Grok

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.