Hello,
Got new problem.
My custom patterns are:
SMDPROG (systemd|systemd\-logint|Systemd\-logint)
SMDSESSIONNUM \b(?:[1-9][0-9]*)\b
SMDUSER [A-Za-z]{1,20}([.][A-Za-z]{0,20})?
SMDACTION1 ([A-Za-z]{1,9})
SMDACTION2 ([A-Za-z]{13,13}\s[A-Za-z]{1,4}\s(\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\.[a-z]{1,10})\s[A-Za-z]{1,2}\s[A-Za-z]{6,6}\s[A-Za-z]{5,5}\-[A-Za-z]{12,12}[.]\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}[.]\s([A-Za-z]{1,20}\s[A-Za-z]{1,20})[.])
SMDACTION (%{SMDACTION2}|%{SMDACTION1})
SMDEXECTYPE1 ([A-Za-z]{7,7}\s[A-Za-z]{2,2}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20})
SMDEXECTYPE2 ([A-Za-z]{7,7}\s%{SMDSESSIONNUM:smd_sess_num}(\s[A-Za-z]{2,2}\s[A-Za-z]{4,4}\s%{SMDUSER:smd_user})?)
SMDEXECTYPE3 ([A-Za-z]{4,4}\-[0-9][.][A-Za-z]{5,5})
SMDEXECTYPE4 ([A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}([.][.][.]))
SMDEXECTYPE (%{SMDEXECTYPE1}|%{SMDEXECTYPE2}|%{SMDEXECTYPE3}|%{SMDEXECTYPE4})
My match is:
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SMDPROG:syslog_program}?: %{SMDACTION:smd_action}( %{SMDEXECTYPE:smd_exec})?[.]?
Logs like that are not parsed:
May 15 14:15:16 node2 systemd: Started Cleanup of Temporary Directories.
If I put them into http://grokconstructor.appspot.com/do/match#result, then it is said that match is made, but I get field "after match:", though nothing is written in it. And when I put all these into https://grokdebug.herokuapp.com/, I outright get no match.