Match field based on content via regex

evlonden · April 26, 2017, 7:27am

Hello,

Loglines often contains a severity field containing INFO, WARNING etc. I tried to use a pattern like

BREVTCLASS (?:INFO?|WARNING?|ERROR?|CRITICAL?)

which I pick up in grok with
%{BREVTCLASS:syslog_evtclass}

but loglines such as this

<150>Apr 26 17:13:25 Sydney_ILAB_DCX8510 raslogd: 2017/04/26-17:13:25, [LOG-1000], 1748, SLOT 4 WWN 10:00:50:eb:1a:59:0b:00 | FID 128, INFO, Sydney_ILAB_DCX8510, Previous message repeated 4 time(s).

continuously show a grokparse failure.

Any ideas?

Thanks

evlonden · April 26, 2017, 7:28am

Ohh, PS. that is the rule that traps the grok parse failure as when I remove that the others in the same match statement succeed

system · May 24, 2017, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex on matched field Logstash	2	245	May 18, 2018
Grok parse failures Logstash	4	286	December 29, 2020
Custom grok pattern failure with forwardslashes Logstash	5	726	February 28, 2018
Grok Empty Field Parse Failure Logstash	4	4005	July 6, 2017
Parse contents of a specific field and store in new fields Logstash	1	186	October 27, 2021

Match field based on content via regex

Related topics