i am working on a filter and i am using grok, everything is good apart from one thing. The logs i need to design a filter have irregular spacing between particular fields, eg:
log1: field1 field2 field3
log2:filed1 field2 filed3
log3: filel1 field2 field3
i was looking if i could use 'drop' or something similar to solve this but so far i cant find the solution.
Ill appreciate the help.
Depending on how you're parsing this you might find the mutate filter's strip option useful, or it might be more convenient to solve it with your existing grok filter.
Thank you for the quick response.
I have design a filter for IIS logs using same pattern and it worked no problem, but in this case i cant filter entire log apart from a 1st entry. The logs that im trying to build the filter for are all over the place, so my filter will work only for the first log entry and it will stop. If i remove 1st entry from the log and adjust the filter for the next one (i need to add or remove some \t) it will work but only once.
input{stdin{}}
filter{ grok{
match => ["message", "%{TIMESTAMP_ISO8601}\t%{NUMBER:UserRef}\t%{NUMBER:ContentRef}\t%{NOTSPACE:EntAccountID}\t%{NOTSPACE:EntitemId}\t%{NUMBER:EntitemIDtype}\t\t%{NUMBER:PolicyRef}\t%{NUMBER:OptionId}\t%{NOTSPACE:IpCountry}\t%{NOTSPACE:DeviceType}\t\t%{IPV4:SourceIpAddress}\t\t%{NUMBER:UseLicenseCount}\t\t%{NOTSPACE:SessionID}\t%{NUMBER:AffiliateRef}\t%{WORD:SubcontentType}\t\t%{NOTSPACE:DrmClientId}"]}}
output{stdout{codec=>rubydebug}}
I was looking online for any examples on how to deal with similar issues but no luck. I had a look at the strip option and im not sure how to assign the values to a particular filed entries. Do i just past all entries as they are in the grok or do i assignee names to them first, eg: value = {TIMESTAMP_ISO8601} and so on?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.