Hello, trying to extract a hostname from a log. I test my Grok filter in the Grok debugger using the NOTSPACE pattern and I can extract the hostname "DEV-1010-1010-D-B1F6R01". But in Kibana, I get a "invalid" message for that index pattern. I've already tried to refresh my index patterns with no success. I can extract the other lines from the log file just fine, the hostname in this log line is "DEV-1010-1010-D-B1F6R01"
Here is one line from my log:
Dec 13 13:33:42 Men and Mice Central: [10640 DHCPSynchronizationThread] Error sending scope list request to DHCP server "DEV-1010-1010-D-B1F6R01."
It does fetch app_source and error_message, see the delimiters it comes back with below. Here is the log line:
Dec 13 13:33:42 Men and Mice Central: [10640 DHCPSynchronizationThread] Error sending scope list request to DHCP server "HOU-AS01-2960-D-B1F6R01."
Delimiters:
app_source:Men and Mice Central
error_message: [10640 DHCPSynchronizationThread] Error sending scope list request to DHCP server
Here is my filter:
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:time_stamp} %{DATA:app_source} %{GREEDYDATA:error_message} %{NOTSPACE:dhcp.hostname}" }
}
Update: I was able to use Dissect to retrieve the hostname from the log lines. Here is my filter.
dissect {
mapping => {
"message" => "%{syslog_timestamp} %{+syslog_timestamp} %{+syslog_timestamp} %{logsource} %{+logsource} %{+logsource} %{+logsource} %{} %{} %{} %{} %{} %{} %{} %{} %{} %{} %{dhcp_hostname}"
}
}
I need to figure out a way to group the empty fields and avoid having multiple %{} delimiters. Thanks to those that replied.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
