Logstash Grok

Elk_huh · November 25, 2020, 3:49pm

I need to start a grok at <190>
I dont care about anything before that . What is the way to do this ?

<13>Nov 25 15:36:31 servername.abc.com LOGSTASH[-]: <190>Nov 25 07:36:31

Wolfram_Haussig · November 26, 2020, 5:43am

Hello Brian,

Yo can use the grok debugger in Kibanas Dev Tools to test it: Grok patterns do not necessarily need to start at the beginning of the message. Something like this will work:
<190>%{MONTH:month} %{MONTHDAY:day} %{TIME:time}

Best regards
Wolfram

Elitlogik · November 26, 2020, 1:06pm

Are you 100% sure <190> will be the PRI header for 100% of the log events? Never <189>?

Elk_huh · December 1, 2020, 3:51pm

i ended up doing a %{GREEDYDATA:notneeded} %{SYSLOG5424PRI}

to start at <190>

system · December 29, 2020, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.