I am trying to parse out the last number of a field (that is a string). My grok pattern, currently, pulls the first number and puts it in the new field. How can make that grok pattern skip the first 2 numbers it comes across and instead grab the third?
Sample [TEXT] field value:
" IAT1613 JOB SERZMFP (JOB04933) SYSTEM MESSAGE COUNT IS 290,000"
Here's my code:
</>
if "IAT1613" in [TEXT] {
grok { match => ["TEXT","%{NUMBER:MSG_COUNT}"] }
}
</>
The grok pattern grabs the "1613" but I need it to grab the number 290,000 instead.