This is my log line:
2015-04-14 03:28:12,628 [8] DEBUG NCR.XE.Component.MessageHandler.HistoryEventMessageProcessor - Starting RentalTransactionMessageProcessor message type with the data <invoice iid="00000000-4164-1638-e168-ffff08d24460" id="635645932534212842" dt="2015-04-14T07:27:33" dt_local="2015-04-14T00:27:33" cc_digits="0027" gov_id="" email="" f_name="Test" l_name="EB" m_name="" dob="" addr1="" addr2="" city="" state="" zip="99577" country="" phone1="" phone2="" cc_type="0" AllowSpecialOffers="false" AllowReceipts="false" /><payment amount="15" cc_digits="0027" /></invoice>
I want to get the msg filed separate from this log line and create a new filed for cc_digits value for above log line contains 0027
my configuration for this:
filter {
multiline{
pattern => "^%{TIMESTAMP_ISO8601}"
what => "previous"
negate=> true
}
# Delete trailing whitespaces
mutate {
strip => "message"
}
# Delete \n from messages
mutate {
gsub => ['message', "\n", " "]
}
# Delete \r from messages
mutate {
gsub => ['message', "\r", " "]
}
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{NUMBER:thread}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} - %{GREEDYDATA:msg}" }
}
grok {
match => { "msg" => "%{GREEDYDATA:text}" }
}
}
I am not able to get the correct configuration. Can you please provide the correct configuration