I have this log message
2017-03-02 15:52:08,455 INFO :RMI TCP Connection(80920)-10.53.123.123 [c
om.company.app] Hello world
I want to group the "RMI TCP onnection(80920)-10.53.123.123" into one field, called my_connection, so my grok filter looks like this
filter {
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}:(?<my_connection>???) ......"
]
}
}
}
What should the ??? be?
I came up with the following. However, it includes the space before the open square bracket before the classname. How do I rid of the space?
(?<node_connection>[^\[]*)
In other words, I get (space after the last 123 octet)
node_connection = "RMI TCP Connection(80920)-10.53.123.123 "
but I want (no space after last 123 octet)
node_connection = "RMI TCP Connection(80920)-10.53.123.123"
Just make sure there's a space after the closing parenthesis.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.