searching the internet I didn't find the right grok filter for IBM integration bus logs. At the end I decided to try by may self. Filter is working but I have opinion that it can be better. Below you can find my grok filter with log.
Mar 28 12:12:01 localhost IIB[5979]: IBM Integration Bus v10008 (INDEV2.default) [Thread 21750] (Msg 1/1) BIP2153I: About to 'Start' an integration server.
Could you please give me some hints to improve my filter?
Is it possible for example to take three words with spaces end put in one field? For example: IBM Integration Bus
I have some words that is not useful for me. Can I skip them?
And, you probably will want to add the beginning-of-line anchor ^ to the very beginning of your pattern if we know that there isn't going to be random junk before the timestamp.
Without it, when the pattern matcher fails, it will start over from the second letter, fail again, start over with the third letter, fail again, and so-on, making the failure to match pretty computationally expensive.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
.
. Thank you very much for your answers, it help me a lot. Also I learn something new