can someone please advise how to skip one or more tabs coming in input log line ?

I/P - [2017-06-05 12:16:08,353] :|: INFO :|: lvprdsnbfe1.lv.jabodo.com :|: :|: :|:\n\t\t\t\t :|: :|: c.m.c.PeriodicProductDataRefresher :|: - Product data is up to date, no refresh was conducted

input {
beats {
port => 5044
codec => multiline {
pattern => "^[%{TIMESTAMP_ISO8601}]"
negate => true
what => previous
}
}
}
filter {
grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp_match}]%{SPACE}:|:%{SPACE}%{WORD:level}%{SPACE}:|:%{SPACE}%{USERNAME:hostname}%{SPACE}:|:%{SPACE}%{GREEDYDATA:coidkey}%{SPACE}:|:%{SPACE}%{GREEDYDATA:clientinfo}%{SPACE}:|:%{SPACE}%{GREEDYDATA:clientip}%{SPACE}:|:%{SPACE}%{GREEDYDATA:Url}%{SPACE}:|:%{SPACE}%{JAVACLASS:class}%{SPACE}:|:%{SPACE}%{USER:ident}%{SPACE}%{GREEDYDATA:msg}"}
}
}

Grok is not able to work after \n\t\t\t\t ...if i remove that tabs then it works fine .

Thanks.

Was able to skip it with mutate-gsub .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.