Partly true Shrikant. He didn't mention what he is trying by specifying several lines to figure out the pattern for:
Dec 14 03:13:01 ppddc1kfep302 my-checker: Context SHA of VSP Logger Software da39a3ee5e6b4b0d3255bfef95601890afd80709
Dec 12 12:01:27 ppdtest302 test-checker: Context SHA of TEST Software Version 3.0.1_RC5 0b1f71223180bf0df9330b13e17f8d7c62dfdaad16b97a80b8a25c99409c1109
This pattern is working:
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP}%{SPACE}%{IPORHOST:my_host}%{SPACE}%{DATA}:%{SPACE}Context SHA of %{DATA:software} Software (%{DATA})?%{SPACE}(%{DATA:version})?%{SPACE}%{WORD:hash}" }
}
if (![version]){
mutate { add_field => {"version" => "1.0.1"} }
}
}
I assumed that version is an option filed as well as "Version" text. You cannot use "host" for the field name because LS is using as JSON. If you still want to use it, addd: mutate{ remove_field => ["host"] above grok.