Need help with the Grok Pattern

Hi,
I need to match the following log messages within one event extract that i get from my head-end systems.\

Event_number 26.03.2017 00:00:06   252:location1 rtuid1 pipesizemm componentID1 LEVEL INDICATION  Alarm limit HighHigh  4.7 m > 4.5 m
Event_number  26.03.2017 00:00:07   891:location2 rtuid2 pipesizemm componentID2 FWD FLOW TOTALIZER  CV-difference too large acknowledged by user1
Event_number  26.03.2017 00:00:07   252:location3 rtuid3 pipesizemm componentID3 LEVEL INDICATION  Alarm Limit HighHigh exceeded acknowledged by user2

I have been able to match last 2 events though not able to get the same correctly with this pattern

%{NUMBER:EventID}%{SPACE}%{DATESTAMP:timestamp}%{SPACE}%{NUMBER:device_ID}:%{CISCO_REASON:Location}%{SPACE}R%{USER:RTU_ID}%{SPACE}%{WORD:PipeSize}%{SPACE}%{USERNAME:Component_id}%{GREEDYDATA:message}%{SPACE}by%{SPACE}%{USER:User}

Any help would be really appreciated

%{NUMBER:EventID}%{SPACE}%{DATESTAMP:timestamp}%{SPACE}%{NUMBER:device_ID}:%{CISCO_REASON:Location}%{SPACE}R%{USER:RTU_ID}%{SPACE}%{WORD:PipeSize}%{SPACE}%{USERNAME:Component_id}%{GREEDYDATA:message}%{SPACE}by%{SPACE}%{USER:User}

This "R" in your GROK-Pattern is confusing....this can't match with your events.

Have a look at https://grokdebug.herokuapp.com/ . Here you can debug the pattern.

And have a look at dissect https://www.elastic.co/guide/en/logstash/current/plugins-filters-dissect.html i think this is better for your usecase.
This Blog is about dissect too: https://www.elastic.co/blog/logstash-dude-wheres-my-chainsaw-i-need-to-dissect-my-logs

Hope this helps.

Greetz

jupp

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.