I have a syslog like "2018-04-26 15:22:23,200の[INFO]の123" and i using "%{TIMESTAMP_ISO8601:time}の[%{WORD:FFF}]の%{INT:DD}" it does work.
But when i change the information to "2018-04-26 15:22:23,200の[INFO]のtest" and i using pattern "%{TIMESTAMP_ISO8601:time}の[%{WORD:FFF}]の%{WORD:DD2}", it doesn't work.
I am sure %{WORD} can match "test",where is the problem
is there anyone who can help me ? 
If I understand correctly:
WORD is \b\w+\b. But there is no word boundary (\b) at this place, so it doesn't match. The following works:
%{TIMESTAMP_ISO8601:time}の\[%{WORD:FFF}\]の(?<DD2>\w+\b)Do you really have a hiragana "no" in your logs?
yes it's been a big help
i am now using a customized pattern, it does work now ,thanks all your guys
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.