to extract everything inbetween the double quotes. Note that you'll have to make the grok expression string a single-quoted string (it's currently double-quoted). Another option is to use the QS grok pattern but it keeps the surrounding double quotes in the extracted string.
As I said: Note that you'll have to make the grok expression string a single-quoted string (it's currently double-quoted). That means this:
match => {"message" => 'zFlow\(LOCAL\) <- STRING: "(?<Flow>[^"]*)'}
But it does not work. The logstash configuration file no longer launches.
In this particular case I was able to spot the error anyway, but please try to anticipate the questions are you going to get. If Logstash doesn't start we're going to want to see the logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.