How can i specify the end of logs

oussama · July 1, 2015, 10:00am

    0
    down vote

    favorite

I wanna know how can i specify the end of logs.

this is my logs :

message = state:this is a sate,client_name:user

And my match is :

match => [ "message", "%{DATA:dataAfterClientName},client_name:%{DATA:client_name}"]

in the résult i can see juste the dataAfterClientName = state:this is a sate but i don't get the client_name value.

Any help please

magnusbaeck · July 1, 2015, 10:12am

Avoid using the DATA pattern. In your case it's probably matching too much. In this particular case I'd try using the kv filter instead of grok.