Hi,
I have 2 different patterns in my logs..how do I take them both into account in my logstash configuration file?
Pattern 1: 2016-06-03 08:44:52 | INFO | [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] | WAKEUP-REQ | RECEIVED | urn:uuid:5c10c107-88f2-3d8b-892f-1ebe004f23f5
Pattern 2: 2016-06-03 08:45:02 | INFO | [jmsContainer-15] | AQ-REQ | RECIEVED | urn:uuid:64543F49-6A27-4AD9-AC0D-0B0A0AA27936
My logstash config file looks like the following:
I used the grokdebugger to make the query:
filter {
grok {
match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]
}
if[threadType] {
grok {
break_on_match => true
match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]
}
}
mutate {
remove => [ "message" ]
}
}
I am having trouble with it..Please help! The current config file I have...it doesn't work!