im using it in logfile fields time,sessionid,requestid, fieldvalue columns and my question is inside of fieldvalue column these terms are placed. how to split the createdtime value to individual field (createdby,createdtime ,updatedby,updatedtime,name,etc.,)
grok{
match =>["message","%{NUMBER:TIME} \t %{WORD:SESSIONID} \t %{GREEDYDATA:FieldValue}"]
}
thanks
saravanan.R
Hi
You could use a second grok{} filter, placed after the first, where your FieldValue already exists, and extract your "createdby", etc.:
grok {
match => ["FieldValue", ".... your stuff goes here..."]
}
Hope this helps.
thankyou bro i will try it now
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.