Hello,
I would like to know how to parse log line who have many empty field and many useless field.
One line have 60 values but only 20 are really usefull.
I have create a grok with sixty %{DATA:name} (I would improve it later) .
How to delete the empty field and fields that I do not need directly into my grok ? Its possible ?
Thank you for your help
Use the remove_field option, probably under your grok flter.
If you don't want some of the fields, don't capture them in the first place. In other words, use %{DATA} instead of %{DATA:useless-field-to-delete}.
Ok thank you a lots for your help.
Last things, when i indicate %{BASE16NUM:hexa_value} :
This value is not converted in decimal value, it's just an information no ?
To really convert the hexa value to decimal value, i must use it :
=> Hexa_value : A2ED
=> Grok filter : %{BASE16NUM:Hexa_value}
and i must add a mutate ? Than :
gsub => [ "Hexa_value", "0x8" ] ?
There's no native hexa_value data type..
Here's how to convert the hexstring into a decimal number: http://stackoverflow.com/a/25792807/414355
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.