Hello,
I parse the hostname of the syslog source event with the following grok:
grok {
match
=> [ "message", "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname}
%{GREEDYDATA:mess}" ]
}
It works well for hostname in one word (eg: greentop) but doesn't work for hostname like this green_top.
Any idea ?
Thanks
Use NOSPACE instead of SYSLOGHOST.
Underscores aren't allowed in DNS hostnames which probably is why SYSLOGHOST doesn't include them.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.