I am able to code till CC0: and after that I am able to take in as greedydata:
match => ["message", "%{WORD:msgtype}%{SPACE}%{WORD:code1}%{SPACE}%{WORD:module}%{SPACE}%{WORD:code2}%{SPACE}%{WORD:type1}%{SPACE}%{DATESTAMP:timestamp}%{SPACE}\(%{WORD:method}\:%{SPACE}%{NUMBER:code3}\)%{SPACE}%{GREEDYDATA:msg}"]
But after CC0, I need it to be separate fields and not greedydata.
Can someone help me on this?
Thanks!
It's very hard to ask someone to define a generalised pattern for something and also only provide a single example.
When I paste your single message and pattern into the Grok Constructor, I see that after the timestamp field, your pattern expects a space, followed by a literal open paren ((), but the log message does not have an open paren at this position.
Once you get the GREEDYDATA to capture only that which is after DlschInfo:, you can likely use the kv filter to capture the key/value pairs in the rest.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.