LOG WHICH I AM TRYIING TO PARSE:-
2019-07-03 17:04:58.562 DELETE accept UDP 10.133.189.203:56897 -> 233.79.64.194:654 678.133.200.279:56131 -> 23.64.33.898:555 0 0 The grok pattern which i am trying to use:-
filter {
grok { match => { "message" => "%{WORD:abc} %{WORD:xyz} %{WORD:proto} %{IPV4:ip1}:%{INT:port1} -> %{IPV4:ip2}:%{INT:port2} %{IPV4:ip3}:%{INT:port3} -> %{IPV4:ip4}:%{INT:port4} %{INT:byte} %{INT:byte}$"}}
date { match => [ "[@metadata][ts]", "YYYY-MM-dd HH:mm:ss" ] }
}
Please,help me as I am a new in this field.
Even if i use "IP" instead of "IPV4" there is an error coming which indicates the parsing is not taking place . What could be the possible reason for that. Now the code i am using is :-
filter {
grok { match => { "message" => "%(DATESTAMP:datestamp) %{WORD:Event} %{WORD:Xevent} %{WORD:protocol} %{IP:ip1}:%{INT:port1} -> %{IP:ip2}:%{INT:port2} %{IP:ip3}:%{INT:port3} -> %{IP:ip4}:%{INT:port4} %{INT:Inbyte} %{INT:Outbyte}$"}}
}
{I EVEN TRIED CHANGING IPV4 TO IP but it DIDN'T WORK OUT }
I have given a log sample in the question asked :- LOG WHICH I AM TRYIING TO PARSE:- 2019-07-03 17:04:58.562 DELETE accept UDP 10.133.189.203:56897 -> 233.79.64.194:654 678.133.200.279:56131 -> 23.64.33.898:555 0 0
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.