Hello everybody, I use Logstash and groke to parse this line :
25/05/2018 11:55:28.630 (TACHE) 27/02/2018/D T XX_CACXXX_X_TN_CAC001MT_PORTEFEUILLE(945)/SAU_XXXXXX_X_LL_OPE001_EFLUID TER STATUS : TN Terminaison normale de la tâche (TN EXIT CODE 0)
This is my logstash config :
### INPUT SECTION ###
input
{
beats
{
port => 5044
}
}
### FILTER SECTION ###
filter
{
grok
{
match => { "message" => [ "%{DATE_EU:DATE_LOG} %{TIME:HEURE_TACHE} \(%{WORD:TYPE_TACHE}\) %{DATE_EU:DATE_TACHE}/D . %{WORD:NOM_TACHE}\(%{NUMBER:ID_TACHE}\)/%{WORD:LOCALISATION} (?<STATUS>[A-Z]\w++\s+[A-Z]\w+) : %{WORD:CODE_TACHE} %{GREEDYDATA:DESCRIPTION}" ] }
}
mutate
{
remove_field => [ "@version","CODE_TACHE","DATE_LOG","ID_TACHE","STATUS","TYPE_TACHE","_id","_index","_score","_type","beat.hostname","beat.name","beat.version","filetype","host","offset","prospector.type","tags" ]
}
if ([message] !~ "CODE")
{
drop { }
}
}
### OUTPUT SECTION ###
output
{
elasticsearch
{
hosts => "http://localhost:9200"
index => "vega_test"
}
}
Everything OK, I obtain a good parsing, but I want to reparse "DESCRIPTION" field.
Actually, "DESCRIPTION" looks like :
Terminaison normale de la tâche (TN EXIT CODE 0)
And I would like to have :
"DESCRIPTION" same as above but another field "CODE_ERREUR" : 0
Can somebody help me ?
PS : "%{NUMBER:CODE_ERREUR}" match but when I add below my first match instruction this line :
match => { "DESCRIPTION" => [ "%{NUMBER:CODE_ERREUR}" ] }
"DESCRIPTION" isn't parse 