Hello, I have the problem that when I try to use grok regex then I can't take others values like LOGLEVEL and so on maybe someone can help me there is my code:
input {
beats {
port => 5043
}
}
filter {
if [host] == "miram.int.bite.lt" {
grok {
match => { "message" => "(?<(.*)</cc.>)"}
match => { "message" => "%{LOGLEVEL:loglevel}"}
}
mutate {
gsub => ["parsedXML", """, "'"]
}
Your first attempt fails because the grok filter exits after the first match. Your second attempt fails because the expression just doesn't match your input.
Use a single expression that matches the whole input string. Something like this might work:
I decide to take xml value with grok match: match => { "message" => "(?<parsedXML><(.*)<\/cc.>)"}
and then other values take with dissect like this : dissect { mapping => { "message" => "%{ts} %{+ts} %{loglevel} %{msg}" } }
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.