hi
2019-11-22 13:02:01 INFO sometext:999 [applicationId=xxxxx] [version=xxxx] [hostname=hostname.domain] [logmessage=all went well]
can we remove the "sometext" and just show value of 999 so far the pattern i can get is this
filter {
grok {
match => { "message" => "%{DATESTAMP} %{LOGLEVEL} .*sometext.\s*:%{BASE10NUM:line} \[applicationId=%{DATA:applicationId}\] \[version=%{DATA:version}\] \[hostname=%{DATA:hostname}\] \[logmessage=%{DATA:logmessage}\]" }
this works fine when message has "sometext" but can we use a regex to ignore any text that is there for example instead of "sometext" it is "thistext"
Badger
November 26, 2019, 6:37pm
2
You could use
"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} %{WORD}:%{BASE10NUM:line}"
or even
"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} (?:[^:]+):%{BASE10NUM:line}"
Hi Badger
%{DATESTAMP} %{LOGLEVEL} .[a-zA-Z]+.\s :%{BASE10NUM:line}
Also tried your suggested solution and worked perfectly
Many Thanks
Badger
November 26, 2019, 6:52pm
4
DATESTAMP should not match "2019-11-22 13:02:01". TIMESTAMP_ISO8601 should.
Many Thanks again , i will correct it now
system
December 24, 2019, 6:55pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.