hey all,
i have log message:
Jun 16 18:09:12 mail postfix/qmgr[30910]: 63F9C18BE69: from=root@test.srv, size=1116, nrcpt=1 (queue active)
but i only want to grep the number after word "size=" , is there any solution how to grep the number?
and i want to create visualize the number after word "size=" , can anyone give me solution?
thanks 
what are you using to parse this ? logstash ? something else ?
for logstash grok you can get docs here: https://www.elastic.co/guide/en/logstash/5.4/plugins-filters-grok.html
something like this might work:
%{SYSLOGBASE} %{WORD:queue_id}: from=%{EMAILADDRESS:from}, size={NUMBER:size}, ncrpt={nUMBER:ncrpt)
oh, sorry for not inform you.
i'm using filebeat direct to elasticsearch.
Then you need to use the ingest API or use Logstash, ES cannot do this.
thanks for the answer @warkolm
so, if i want to create visualize using the number after word "size=" must using logstash or ingest API? can't directly from filebeat to elasticsearch?
FB does not parse these types of events, so yes you do need something else to do it.
thanks @warkolm,
can you suggest me what to use? so i can create visualize kibana using the number after word "size=" .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.