I am trying to add filter for the below log format:
[24/Oct/2017 15:04:53 ] cluster WARNING Picking RM HA: ha
The filter I have added is:
[%{MONTHDAY:logDate}/%{MONTH:logMonth}/%{YEAR:logYear} %{TIME:logTime} ]%{SPACE}%{GREEDYDATA:platformType} +\s %{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA:message}
Issue is for platformType - cluster has trailing space and I would like to remove. Below is the screenshot from https://grokdebug.herokuapp.com/
Can any one help me in fetching only the platformType value by removing trailing spaces.
What are the possible values of platformType ? If all values are only a single word, you'd be better off using something like NOTSPACE instead of GREEDYDATA (since greedydata is a bit expensive). Also, you should escape those brackets in your pattern.
Sorry,
This did not work for me. A clarification I have copy pasted the log while logging this and there are 6 spaces between the words cluster and WARNING and these were removed on submission.
Can you try by explicitely adding 6 spaces between cluster and WARNING in the below log message before trying in https://grokdebug.herokuapp.com/.
[24/Oct/2017 15:04:53 ] cluster WARNING Picking RM HA: ha
Also, you can always remove leading/trailing whitespace post-grok with the strip option of the mutate filter, if you want to avoid trying to track down all possible corner cases for grok patterns.
Thanks a lot. It worked with NOTSPACE as suggested by you. However, I tried strip and was unsuccessful. Is there any snippet for this same trail space removal.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
