I use grok to differentiate the content in each line of the log and mutate to create a new field and be able to assign those values but it doesn't work, write the configuration content literally.
I don't have compiling problems. I try the first one and the second and nothing change.
grok {
match => {
"message" => ["%{DATE:date} (?:(?:%{TIME:time})|(?:%{TIMEX:timex})) %{WORD} (?:(?:%{PROG:prog})|(?:%{PROGRAM:program})) (?:\(%{USERNAME:value}\)) (?:%{WORD:level}\:) %{GREEDYDATA:text}"]
}
pattern_definitions => {
"TIMEX" => "(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECONDX})(?![0-9])"
"SECONDX" => "(?:(?:[0-5]?[0-9]|60)(?:[:.,][x]+)?)"
"PROGRAM" => "(?:%{PROG}\s\-\s%{PROG})"
}
}
mutate {
add_field => { "Host" => "%{value}" }
add_field => { "Level" => "%{level}" }
add_field => { "Text" => "%{text}" }
}
Is something wrong?
Thanks
