Snippet q 2

Arun_Murugappan · July 24, 2018, 9:51am

input log file :
Sep 9 07:50:43 es-rclarke dhclient: bound to 10.10.10.89 -- renewal in 426936 seconds.
config file is as follows:

filter {
grok {
match => {
"message" => "%{SYSLOGLINE}"
}
overwrite => [ "message" ]
}
grok {
match => {
"message" => "bound to %{IPV4:[dhclient][address]} -- renewal in %{INT:[dhclient][renewal]:int} seconds."
}
tag_on_failure => []
}
}

In the above two grok patterns especially-SYSLOGLINE stands for?
likewise why the field names are in two square brackets like [dhcclient][address] and [dhclient][renewal]

magnusbaeck · July 24, 2018, 6:35pm

In the above two grok patterns especially-SYSLOGLINE stands for?

You were given the URL to the grok pattern definitions in one of the other threads you started.

likewise why the field names are in two square brackets like [dhcclient][address] and [dhclient][renewal]

That's the syntax for nested fields, see https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html.

Arun_Murugappan · July 31, 2018, 11:35am

got it. thanks magnus.

system · August 28, 2018, 11:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.