Match field based on content via regex

evlonden · April 26, 2017, 7:27am

Hello,

Loglines often contains a severity field containing INFO, WARNING etc. I tried to use a pattern like

BREVTCLASS (?:INFO?|WARNING?|ERROR?|CRITICAL?)

which I pick up in grok with
%{BREVTCLASS:syslog_evtclass}

but loglines such as this

<150>Apr 26 17:13:25 Sydney_ILAB_DCX8510 raslogd: 2017/04/26-17:13:25, [LOG-1000], 1748, SLOT 4 WWN 10:00:50:eb:1a:59:0b:00 | FID 128, INFO, Sydney_ILAB_DCX8510, Previous message repeated 4 time(s).

continuously show a grokparse failure.

Any ideas?

Thanks

evlonden · April 26, 2017, 7:28am

Ohh, PS. that is the rule that traps the grok parse failure as when I remove that the others in the same match statement succeed

system · May 24, 2017, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.