Bonjour,
Je souhaite parser un log et parser aussi un sous log (qui est un champ du log parent) et les ingérer dans deux logs différents.
Est ce que c'est possible et si oui quelle méthode ou script faudrait utiliser.
Je vous remercie par avance!
Bonjour,
Je souhaite parser un log et parser aussi un sous log (qui est un champ du log parent) et les ingérer dans deux logs différents.
Est ce que c'est possible et si oui quelle méthode ou script faudrait utiliser.
Je vous remercie par avance!
Hi,
If you want to ask questions in French, please do it here.
What is the format of your data ?
Grok give a possibility to do that :
If we take this log line
try number 123456 on 123456789
With a grok pattern like this
filter {
grok {
match => {
"message" => "(?<message>%{WORD} %{WORD} %{INT:num_try} %{WORD} (?<total_try>[0-9]+))"
}
}
}
The result is
"message": [
[
"try number 123456 on 123456789"
]
],
"num_try": [
[
"123456"
]
],
"total_try": [
[
"123456789"
]
]
So in grok you can create a custom patter with this syntax (?<field_name> pattern here)
. This pattern can contain other custom patter or existing pattern (num_try and total_try in the example).
Another solution would be to copy the global pattern in another field with the mutate filter and edit the copy filed in ruby.
Cad.
thank you so much for your response.
My problem was to use two patterns (in the bloc input {file} ) for the same logs.
it was like parsing the same file in two diffrents ways.
finally I had no solution and suddenly I used two .conf
thank you again
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.