Hey ,
I need some help for writing Nested Parser for following log,
its has the same type , field of logs from beginning in the middle of current log.
see yourself 174>ABC Firewall: 17May2020 23:09:18 5 N/A 5 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:11 5 N/A 20 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:08 5 N/A 52 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: (+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; Prod
Please Help needed on urgent basis
thanks in advance
@Badger I have tried Using grok and KV filter
But in from this field default_device_message: <174>Firewall:
on words the message starts again and the value for the field default_device_message: is default_device_message: <174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>
this is because kv is searching for ;as next field separator
and that is my main problem
ANY Suggestion would be highly appreciated .
Thank you
Sorry I still do not understand what value you want the default_device_message to have. Can you copy and paste the string that you want it have as its value?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.