How to make it work?!

tennaen · April 19, 2021, 5:30am

Dears,
i have a problem and i cannot deal with it. In my pipeline configuration i have this code:

   if "%{[process][thread][id]}" =~ "[a-z0-9]+/[a-z0-9]+" {
      mutate {
         split => {
           "[process][thread][id]" => "/"
         }
        add_field => {
         "[event][trace][id]" => "%{[process][thread][id][0]}"
         "[event][span][id]" => "%{[process][thread][id][1]}"
        }
      }
    }

This is another variation of mutate filter and this one isn't working at all.
What i want to attainted is to filter all messages not like this [/]
My grok filter:

   grok {
      match => {
        "message" => [
          "^%{TIMESTAMP_ISO8601:[timestamp]} \[%{NOTSPACE:[process][thread][id]}\] %{SPACE}?%{LOGLEVEL:[log][level]} %{NOTSPACE:[event][class]}: - %{GREEDYDATA:[event][message]}"
        ]
      }
    }

Any help will be appreciated.

Badger · April 19, 2021, 2:49pm

That should be

if [process][thread][id] =~

tennaen · April 19, 2021, 2:58pm

@Badger looks like it's working. Thank you good Sir. I will test it on other indicies and will mark this as solved.

system · May 17, 2021, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.