How to parse more similar fields with Logstash?

Francesca_P · March 3, 2018, 2:02am

Hi,
I'm new with Logstash. I'm trying to parse a log file that contain the following fields:

2017-02-02 07:19:16,908 [varMes: <audio source="au/speak1.wav" />
<audio source="au/speak2.wav" /> <audio source="au/speak3.wav" />
<audio source="au/speak4.wav" />]

2017-02-02 07:19:17,812 [varMes: &lt;audio source="au/speak1.wav" /&gt;
&lt;audio source="au/speak2.wav" /&gt;]

I would like to load them both in the same ES Index, but it does not work with just the grok filter. I can't understand how to manage the various fields.

Please, any help on how to load it?

eperry · March 3, 2018, 12:25pm

This is always a tough issue to deal with. Grok while incredibly powerful occasionally has limits. I have never found a good answer to deal with this. But there are options.

Here is an old article for one way to do it

another would be to do it in the ruby filter

A final option might be to use the KV filter as all your data is in "source=file"

system · March 31, 2018, 12:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.