Hi Friends,
I am writing grok for Linux application logs and able to achieve half. Need your suggestions on how to get the remaining data(optional data). Or do we have any other way to get these data?
Application log Example:
ABC-LNV 7099177 1 0 MOVING In 2020-01-16T14:30:35Z Error Process Out, Advice Qty. 1.000000, 1.000000 Shortage (manual) Order 911179536/1/1/0 Error 099-012383820-MOVING-E117199211.xml Inv. Mov Nr LNV-11GT014 0 1000002IPCC 14230106 0342 username MA3G
Upto below lines am able to define grok.. after the ERROR fields , rest of the fields data's are optional ..it may or may not have data (null or empty field)
ABC-LNV 7099177 1 0 MOVING In 2020-01-16T14:30:35Z Error Process Out, Advice Qty. 1.000000, 1.000000 Shortage (manual) Order 911179536/1/1/0 Error
GROk command :
(?[a-zA-Z0-9._-]+)\s+(?[\d]+)\s+(?[\d]+)\s+(?[\d]+)\s+(?[\w-#]+)\s+(?[\w]+)\s+%{TIMESTAMP_ISO8601:Processing_Time}\s+(?(.+)\s+).+?(?=Error\s\s)(?[\w]+)\s+
Rest of below data are optional which may or may not have data..with tab delimited
099-012383820-MOVING-E117199211.xml Inv. Mov Nr LNV-11GT014 0 1000002IPCC 14230106 0342 username MA3G