I would like to create a grok filter in Logstash to set as field, a concrete part of a syslog message TTN-GW
string should be that field, the sort of message that is being sent to Logstash is as follows ( it comes from a syslog)
Oct 21 09:47:12 aaaa TTN-GW[1401]: #033[90m DEBUG#033[0m Handle stat #033[90mGatewayID#033[0m=SFDEGFKKGRSDFEEE #033[90madapter#033[0m=gateway-semtech
My grok filter looks like this, I have created it modifying a syslog filter (shown below),
filter {
if [type] == "TTN" {
grok {
match => { "message" => "%{DATE:date} %{SYSLOGHOST:syslog_hostname} %{TTNSERVICE:ttn_service}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "TTN_Service", "%{ttn_service}" ]
}
}
}
However, it doesn't work as expected and I don't know why, any hint?
Thanks in advance!
The following grok filter for syslog parse it properly,
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}