Hello,
I have problem with config grok plugin. I'm beginner and I don't know yet how it all works.
This is part of logstash conf:
filter { grok{ match => { "message" => "%{TIMESTAMP_ISO8601:formattedDate}.* %{GREEDYDATA:tempMessage}"} } date{ match => ["formattedDate", "YYYY-MM-dd HH:mm:ss.SSS","ISO8601"] target=>"@timestamp" } }
And I have flat file which has below data "
2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking...
My output in LS is:
} "message": "2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking... " "@version": "1", "@timestamp": "2016-05-31T22:01:39.995Z", "path": "C:\\data\\sample.log", "host": "SDPL02864", "formattedDate": "2016-06-01 00:01:39.995", "tempMessage": "SINGLETON_CRUSHED|statusX] Locking..." }
And I don't know how can i separate this part SINGLETON_CRUSHED|statusX] Locking...
into two parts like here:
} "message": "2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking... " "@version": "1", "@timestamp": "2016-05-31T22:01:39.995Z", "path": "C:\\data\\sample.log", "host": "SDPL02864", "formattedDate": "2016-06-01 00:01:39.995", "tempMessage": "SINGLETON_CRUSHED" <-------------------------- "tempMessage2": "statusX" <-------------------------- }
How can do this?
Thanks, in advance