Two kinds of logs, the same grok

Incauto · December 30, 2019, 4:52pm

Hi, I have two kinds of logs. if the server is linux it display : "$1" after the string "Used disk space on", and if the server is windows display the letter of the drive: "C:"
Logs:

12/28/19 21:59:10 server-hostname Used disk space on $1 (percentage) vfs.fs.size[/boot,pused] 23.2783

12/28/19 22:44:01 server-hostname Used disk space on C: (percentage) vfs.fs.size[C:,pused] 49.5835

12/28/19 21:54:02 server-hostname Used disk space on D: (percentage) vfs.fs.size[D:,pused] 41.7053

Grok:

%{DATA:date} %{TIME:time} %{DATA:hostname} Used disk space on ??? \(percentage\) vfs.fs.size\[%{DATA:disc},pused\] %{NUMBER:percent}

it is posible to parse the logs with the same grok, maybe ignorin those characters, represented by the three question marks

Badger · December 30, 2019, 5:26pm

Why not use %{NOTSPACE} to match that?

Incauto · December 30, 2019, 6:02pm

Thanks again Badger!

%{DATA:date} %{TIME:time} %{DATA:hostname} Used disk space on \S+ \(percentage\) vfs.fs.size\[%{DATA:disc},pused\] %{NUMBER:percent}

system · January 27, 2020, 6:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.