I inherited a configuration file that I need to build upon to make work for more logs. Currently when I run the stack I get errors
17:23:19.046 [[main]>worker11] WARN logstash.filters.grok - Timeout executing grok '%{DATESTAMP:date} %{DATA:hostName} (%{DATA:processName})?\[%{NUMBER:processID}\]: +%{DATA:host2} +(%{DATA:user})? +%{DATA:action} +%{DATESTAMP:date2} +%{DATA:first} +%{DATA:second} +%{DATA:third} +%{DATA:status} +%{NUMBER:number}' against field 'message' with value '09/26/16 12:10:17 bccdac1 alarm_select[19092]: bccdac1 e05543 AUTO-DEL:ON ACK 09/26/16 12:10:17 U2AGC130 AGC-UNITS Unit Status_ Colstrip Unit Connect Status Change CLOSED 2'!
I read in a previous post that multiple uses of DATA
can slow down logstash and cause these errors. This is my grok pattern:
%{DATESTAMP:date} %{DATA:hostName} (%{DATA:processName})?\[%{NUMBER:processID}\]: +%{DATA:host2} +(%{DATA:user})? +%{DATA:action} +%{DATESTAMP:date2} +%{DATA:first} +%{DATA:second} +%{DATA:third} +%{DATA:status} +%{NUMBER:number}
I need to recreate this grok so that it does not produce this error anymore. I am wondering what the + signs mean/do? Also, any tips on recreating this grok more efficiently?
Thanks!