Hi,
I've logs like this:
{20151003010443,D,
{1,1},61,62,5,761520333,6,L,"SOME TEXT 1",1,
{"P",
{6,
{"S","SOME TEXT 2"},
{"S","SOME TEXT 3"}
}
},"",5,13,13,894575181,1,
{1}
}
I wrote and tested grok filter with Kibana grok debugger.
{%{DATESTAMP_EVENTLOG:date},%{GREEDYDATA:transaction-status},
{%{GREEDYDATA:transaction},%{GREEDYDATA:transaction-num}},%{INT:user},%{INT:computer-name},%{INT:application},%{INT:connection-num},%{INT:event-id},%{DATA:event-type},"%{TRULYGREEDY:comment}%{INT:metadata-id},
{"P",
{6,
%{GREEDYDATA:array1},
%{GREEDYDATA:array2}
}
},%{DATA:data-string}",%{INT:server-id},%{INT:main-port},%{INT:second-port},%{INT:session},%{INT:string-length},
%{GREEDYDATA:last-aray}
}
>>TRULYGREEDY (?<message>(.|\r|\n)*?(",))
Text in "SOME TEXT 1" can be up to 1000 strings.
So, I put grok filter into logstash config as is, but it doesn't seem to work.
filter {
if [type] == "external1" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => {"message" => ['{%{DATESTAMP_EVENTLOG:date},%{GREEDYDATA:transaction-status},
{%{GREEDYDATA:trasaction},%{GREEDYDATA:trasaction-num}},%{INT:user},%{INT:computer-name},%{INT:application},%{INT:connection-num},%{INT:event-id},%{DATA:event-type},"%{TRULYGREEDY:comment}%{INT:metadata-id},
{"P",
{6,
%{GREEDYDATA:array1},
%{GREEDYDATA:array2}
}
},%{DATA:data-string}",%{INT:server-id},%{INT:main-port},%{INT:second-port},%{INT:session},%{INT:string-length},
%{GREEDYDATA:last-aray}
}'
]}
}
}
}
Where I was wrong?