Hi all,
Each line in my log file does not contain a source IP adderss so the
"message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{THREAD:thread}\s+(?:%{IP:ip})"
so it returns a "no mach" - from grok debugger. As result the the fields that I'm expecting to be created by the grok{} is not happening. So we tried to make the pattern for IP in this expression something like :
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{THREAD:thread}\s+(?:%{IP:ip})"}
Correction: It seems I had made a mistake. This new expression also not delivering the expected result. i.e If IP is not present then the expression returns a no match. Is there a way to solve this?
NB: Haven't yet tested the same in logstash and kibana for field creation still working with grok debugger where it shows a success. Also THREAD:thread is a custom pattern. Like THREAD [\s*\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))(.?|\b)\s*] _
Continuing the discussion from Grok for parsing java Log: