I have an issue with my grok patterns. Some lines in my grok patterns contains GREEDYDATA regex. So they match before other lines and I cannot match logs with the fields that I want.
Could you tell me please a way to match what I want even with GREEDYDATA regex? Do you know if there is an order for the regex to be apply or could we put a kind of order?
Do you know if there is an order for the regex to be apply or could we put a kind of order?
If you list multiple grok expressions in the same grok filter they will be applied in the order given and the first match wins. Therefore you'll want to list the most specific expressions first.
Log example:
2017-01-16T05:48:09+01:00 10.126.4.202 err *spamApTask6: Jan 16 05:48:05.723: #LWAPP-3-INVALID_AID2: spam_api.c:1477 Association identifier 10 for client f9:00:54:32:b1:90 is already in use by f9:00:54:32:b1:90 for AP 10:f5:8b:65:0c:42 slot 1 vap 1
I already tried in GrokDebugger, and it is working. But only GENERAL_WLC match in production and not COMMON_WLC. Do you have an idea why ?
(I mean %{GREEDYDATA:message_info} take the data, but nerver %{COMMONMAC:client_mac} \w+ %{STATE:state} \w+ %{COMMONMAC:to_delete} \w+ \w+ %{COMMONMAC:AP_mac} \w+ %{INT:slot} \w+ %{INT:vap} fields)
The behavior is like GENERAL_WLC is matching before COMMON_WLC, it is possible ?
I did what you ask and re-enable the message field to get it all.
I have _grokparsefailure all the time now, but it is pretty strange because my pattern is ok in grokdebugger website.
Reduce your expression to the simplest possible. Make sure that works. Then start adding back pieces until it breaks again. That'll narrow down the problem.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.