I'm encountering an issue when configuring logstash, here is an example from my case that I need to grok filter to match - some lines are with IP fields and sesseionID fields but some are not (so they are not exacly the same fields in one single log file). How can I modify the grok expression to cater for this?
All lines start with quotation mark ", that's something annoying. You can see SMTP* are 2 more fields than APPLICATION, TCP lines. I tried to use two message expression in the same grok:
Two grok matches should work:
grok{
match => ["message", ''"SMTP*""\s*(%{BASE10NUM:process})\s*(%{BASE10NUM:session})\s*...]
match => ["message", ''"APP*""\s*(%{BASE10NUM:process})\s*...]
}
Firstly I think we need to use " instead of ", but it's still not working by doing so. I tried it with Grij Debugger by using "SMTP*" but it didn't match any patterns as listed. Any ideas?
How we can let grok to match the first expression when it's starting with "SMPT
then grok to match the second expression when the line of log starting with "APP*
I have to match exactly SMTPD for the first match expression by using "SMTPD", then use "\APPLICATION" for the other expression. it works this way! but if I got too many types of works to start, I'm trying to figure out how to use the first one to start with "SMTP and the other express will match those lines not starting with "SMTP
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.