How to get only matched lines from "Message"?

RameshNagargoje · April 30, 2018, 6:48am

Hi, I am using grok filter to find match, lines in "message",But i not getting how to get that lines from "message".

Here is my filter

grok
{
match => { logs => "dhd_check_hang: Event HANG send up due to"}
}

And here is input
rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
15119.753889] dhd_bus_rxctl: rxcnt_timeout=5, rxlen=0
[15119.753902] Dhd_check_hang: Event HANG send up due to re=5 te=0 e=-110 s=2
[15119.753917] Dhd_check_hang: Event HANG send up due to re=5 te=0 e=-110 s=2
[15119.753937] Dhd_prot_ioctl : bus is down. we have nothing to do
[15119.791431] [] (schedule_timeout+0x158/0x25c) from [] (0xea1e0000)
[15119.799331] kworker/3:2 R running 0 29597 2 0x00000000
[15119.805699] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.814384] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.822637] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.830710] kworker/u8:1 S c0ab2fd4 0 29738 2 0x00000000
[15119.837078] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.845763] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.854015] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.862088] kworker/u8:4 S c0ab2fd4 0 29739 2 0x00000000
[15119.868455] [] (__schedule+0x3d0/0x8a4) from [] (worker_thread+0x1fc/0x3dc)
[15119.877140] [] (worker_thread+0x1fc/0x3dc) from [] (kthread+0xe0/0xe4)
[15119.885391] [] (kthread+0xe0/0xe4) from [] (ret_from_fork+0x14/0x20)
[15119.893468] Sched Debug Version: v0.10, 3.10.96+ #1
[15119.898337] ktime

yaauie · April 30, 2018, 10:04pm

grok isn't really for finding matches; it's for extracting structured information from flat messages.

If you merely want to select messages that match a pattern, you can use an if statement:

filter {
  if [message] =~ /Dhd_check_hang/ {
    # filters in here will only run on messages that match the pattern
  }
}

system · May 28, 2018, 10:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use multiline pattern matching grok filter? Logstash	6	432	May 29, 2018
Which algorithms are used in grok filter to find exact match? Logstash	10	900	May 29, 2018
How to get all matches for a grok pattern in a multiline message Logstash	5	2808	July 6, 2017
Is it possible to index only the matched log lines of grok in Logstash? Logstash	6	3094	March 5, 2017
Message contains full log line Logstash	3	844	September 28, 2018

How to get only matched lines from "Message"?

Related topics