Hey everyone,
I have got some questions about grok pattern and multiline.
My Input is an email from an Mailbox.
This email is composed of multiple Jobs, but logstash takes it as one single event.
I like to divide this event into a number of Events per every single Job.
But it doesn't works when i try to divide the email...
Then the first Job Begins:
"Export: Release 11.2.0.4.0 - Production on Mon Apr 16 01:15:01 2018
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
...
PARFILE...
...
Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully completed at Mon Apr 16 01:15:44 2018 elapsed 0 00:00:42"
The second Job:
"Export: Release 11.2.0.4.0 - Production on Mon Apr 16 01:15:45 2018
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
...
PARFILE
Job "SYSTEM"."SYS_EXPORT_SCHEMA_01" successfully completed at Mon Apr 16 01:17:57 2018 elapsed 0 00:02:12"
and so on..
The number of jobs in an email isn't fix!
This is the Content of my logstash.conf:
input {
imap {...
}
stdin {
codec => multiline {
pattern => "Export:Release"
negate => "true"
what => "previous"
}
}
}
filter {
#this grok ist for an other email
grok {
match => {"message" =>["%{UNIXPATH:path} version 2 for %{DATA:database} on time %{DATA:date}"]
}
grok {
match => {"message" =>["Export:Release %{GREEDYDATA:unimportant} PARFILE= %{UNIXPATH:path} %{GREEDYDATA:unimportant2} Job %{DATA:job} %{DATA:status} at %{DATA:date} elapsed 0 %{(?<duration_dp>[0-23]:[0-59]:[0-59]):duration}"]
}
#this grok ist for an other email
grok {
match => {"message" =>["ERROR: RMAN backup for %{DATA:database} was %{GREEDYDATA:status}"]
}
#this grok ist for an other email
grok {
match => {"message" =>["%{(?<timestamp_rman>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T _]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?):timestamp} %{DATA:Start} .*"]
}
}
output {
...
}
Please someone can help me?!
Thank you very much & many greetings
Swantje