Ignore a string from logstash from grok pattern

Elastic Stack Logstash
1

hi
from a log file like this

2019-11-22 13:02:01 INFO sometext:999 [applicationId=xxxxx] [version=xxxx] [hostname=hostname.domain] [logmessage=all went well]

can we remove the "sometext" and just show value of 999 so far the pattern i can get is this

filter {
  grok {
    match => { "message" => "%{DATESTAMP} %{LOGLEVEL} .*sometext.\s*:%{BASE10NUM:line}  \[applicationId=%{DATA:applicationId}\] \[version=%{DATA:version}\] \[hostname=%{DATA:hostname}\] \[logmessage=%{DATA:logmessage}\]" }

this works fine when message has "sometext" but can we use a regex to ignore any text that is there for example instead of "sometext" it is "thistext"
Thanks

2

You could use

"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} %{WORD}:%{BASE10NUM:line}"

or even

"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} (?:[^:]+):%{BASE10NUM:line}"
3

Hi Badger
Thanks for coming back this soon, while waiting i tried this pattern and this worked too

%{DATESTAMP} %{LOGLEVEL} .[a-zA-Z]+.\s:%{BASE10NUM:line}

Also tried your suggested solution and worked perfectly

Many Thanks

4

DATESTAMP should not match "2019-11-22 13:02:01". TIMESTAMP_ISO8601 should.

5

Many Thanks again , i will correct it now