I want to display null value from the below log in Kibana.
"Roles changed for user 'AIPTEST\geetanjali.j.podal' from "" to "ContentAdmin""
I can able to capture at 'https://grokdebug.herokuapp.com/' by using below Patterns and not able to capture through logstash config and Kibana as well.
"(?<role_type>\b\w+\b\s\b\w+\b) for user '%{WORD:domain}\%{USERNAME:role_changed_for}' from \"(?<role_from>.*)\" to \"(?<role_to>.*)\"\t%{USERNAME:id6}"
Result looks like this when i debug at 'https://grokdebug.herokuapp.com/'
"role_from": [
[
""
]
],
"role_to": [
[
"ContentAdmin"
]indent preformatted text by 4 spaces
Your regular expression has (most likely) been screwed up when you posted here since sequences like <whatever> are replaced with an empty string. Please edit your post, select the regular expression, and click the </> button in the toolbar. I don't want to guess what your regular expression looks like.
You didn't format the whole expression as code so I still had to hand edit it to get it to work.
This works with the example input that you provided:
filter {
grok {
match => ["message", "(?<what>\b\w+\b\s\b\w+\b) for user '%{WORD:domain}\\%{USERNAME:role_changed_for}' from \"(?<role_from>.*)\" to \"(?<role_to>.*)\""]
keep_empty_captures => true
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.