Only the first pattern in the message field is worling, others are ignored

Darya_Semenova · May 2, 2017, 11:51am

For some reason for the code like this:

filter {
    if [type] == "syslog" and !("parsed_by_slurm_filter" in [tags]) and !("parsed_by_xcat_filter" in [tags]) {
        grok {
            patterns_dir => ["./patterns"]
            remove_tag => ["_grokparsefailure"]
            match => {
                 "message" => ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(\(etc/cron\.hourly\))(?:\[%{POSINT:syslog_pid}) %{GREEDYDATA:syslog_message}", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\]) %{GREEDYDATA:syslog_message}"]
             }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
        }
    }
}

Only the first pattern

"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"

works, but for example,

"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(\(etc/cron\.hourly\))(?:\[%{POSINT:syslog_pid}) %{GREEDYDATA:syslog_message}"

seems to be ignored completely.

riddhijit_roy · May 2, 2017, 12:16pm

Try this out

grok {
break_on_match => true
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}((etc/cron.hourly))(?:[%{POSINT:syslog_pid}) %{GREEDYDATA:syslog_message}"}
match => { "message"=> "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"}
}

system · May 30, 2017, 12:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.