Hi,
This is the content of one of the fields I get:
***** System health report *****
Available processors (cores): 2
Free memory: 63 MB
Maximum memory: 247 MB
Total memory: 247 MB
Operating System Architecture: arm
all this data is in one big string, I want to create query to filter all the rows that has Free memory between 0 to 70.
Is it possible to do it without changing the original log?
You need to parse the log to create structured data from it. You can use an ingest pipeline with a grok processor to do that in elasticsearch.
Thanks for the quick answer!
Can you please provide with some simple example just for me to understand the idea.
I looked into ingest as I had the feeling this is the way but I couldn't figure out how to do it.
You have plenty of examples on internet, on this group, in the documentation.
For example this page https://www.elastic.co/guide/en/elasticsearch/reference/6.5/grok-processor.html shows an example of the simulate API you will need to adapt most likely to fit your use case. I started to adapt it for you:
POST _ingest/pipeline/_simulate
{
"pipeline": {
"description" : "health",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{GREEDYDATA:data}"]
}
}
]
},
"docs":[
{
"_source": {
"message": "Available processors (cores): 2\nFree memory: 63 MB\nTotal memory: 247 MB\nOperating System Architecture: arm"
}
}
]
}
Start from this an try to find the right grok pattern which will work for you.
The Grok Debugger in Kibana might help or this site: http://grokconstructor.appspot.com/
Thanks for the quick answer!
I will try it out.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.