Hello I am trying to parse log file and wanted to check how I can stop at first encounter of ":" for Tag.
02-05 00:00:13.199 3162 3162 I audit : test: Loaded service_contexts from /service_contexts.
Grok filter I have added for this: %{MONTHNUM:Month}-%{MONTHDAY:Day}\s*%{TIME:Timestamp}\s*%{NONNEGINT:SID}\s*%{NUMBER:R_id}\s*%{WORD:Severity}\s*(?(?:[()a-zA-Z0-9./[^ ]\s]+)):\s*%{GREEDYDATA:Message}
Can someone please help?
I am unable to parse that regexp, so I am not sure what you want. I would do this using dissect rather than grok.
dissect { mapping => { "message" => "%{ts} %{+ts} %{SID} %{R_id} %{severity} %{restOfLine}" } }
If you are trying to capture the word audit then change that to
dissect { mapping => { "message" => "%{ts} %{+ts} %{SID} %{R_id} %{severity} %{something} : %{restOfLine}" } }Thanks. Dissect indeed worked well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.