Hello,
My problem has two solutions that I can use. At the moment I am not achieving success in any.
My log
2020-04-30T13: 48: 17.954 Int 50141 009401EA-1003849D 3553384768 custom_var navigation|4300; 4201; 7001; 8001; 9000
Solution 1
Try to separate the data after the "|" character:
grok {
#match => {"message" => "% {TIMESTAMP_ISO8601: log_data_evento}% {SPACE}% {GREEDYDATA: data_log}"}
match => {"message" => "% {TIMESTAMP_ISO8601: timestamp}% {SPACE}% {WORD}% {SPACE}% {NUMBER}% {SPACE}% {NOTSPACE: field1}% {SPACE}% {NUMBER} % {SPACE} custom_var navigation|%{GREEDYDATA: detail} "}
}
It didn't work, the grok fails.
Solution 2
Grok differently and remove the character "|" with a mutate gsub filter.
I managed to make the grok so that the "detail" field has this value:
|4300; 4201; 7001; 8001; 9000
I tried to replace the character "|" blank with the gsub filter as shown below:
filter {
mutate {
gsub => ["detail", "|", ""]
}
}
However, the character remains intact.
Am I doing something wrong? Any solution?
Thank you