Hi!
I have very strange logstash behaviour. All my logs parses well and correct except one.
This logs looks like this:
InApp: Product: credits34; Transaction: '3000000823345'; User( ip: 345.234.254.32; user_id: 452687; name: 'kelly 02'; days_in_game: 98; pvp_rating: 80; provider: Undefined; device_model: 'Undefinded';).
Transaction field can be in two versions:
1.Transaction: '323450823345';
2.Transaction: 'GPA.1445-4540-6845-63244';
I want to parce this field with grok filter:
grok
{
match => [ "message", " Transaction: '(?[^']+)';" ]
tag_on_failure => []
}
And when logs comes with 1 version transaction - everything comes and parse fine, but when with 2 version transaction logs not coming in ES. When turn off this grok filter, both logs variants comes in ES. Is it problem in grok filter?