Hi
My Logstructure is like this:
Thu 11/09/17 15:05:44
11-09-2017 03:40:53 - :: | Error: 3303 | Data1 | 123456 6489 Description1
11-09-2017 03:40:54 - :: | Error: 3303 | Data2 | 123456 6489 Description2
....Thu 11/09/17 15:41:30
where the initial info is error log start time and last info is error log end time
I have to parse them and display it as startdate:Thu 11/09/17 15:05:44 and enddate:Thu 11/09/17 15:41:30
Also I want to stop the grok for matching the first line of log where it matches "Error: 3303 "
My config file is as below:
input {...}
filter {
grok {
match => [ "message", "=%{SPACE}%{DAY}%{SPACE}%{DATE}%{SPACE}%{TIME:time}%{SPACE}%{DATA}"]
add_tag => [ 'dated' ]
}
grok {
match => ["message", "(\Error: 3303)" ]
break_on_match => true
add_tag => ["trace"]
}
}
output{...}
But break on match is not working for me it is dding tag to the next lines also.
Also how to get the date as startdate and enddate.
Please help me with this