I'm having a hard time parsing a log with this configuration:
username/user_id@domain
Example:
jhon/999@test.com
I am using this grok expression:
match => "%{DATA:username}/%{DATA:user_id}\@%{DATA:domain}"
But the "domain" variable is always lost. Any suggestion to get the three values in a clean way?
Finally I could solve it using this grok expression:
match => "%{DATA:username}/%{USER:user_id}@%{HOSTNAME:domain}"Yeah, be very careful with more than one DATA or GREEDYDATA in the same expressions. Use stricter patterns whenever you can.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.