i am now using the pattern as below
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{SYSLOGHOST:origin_hostname}:%{unp:hahha}
and i defined unp as below
unp ^\s{1}]$
When i input: <187>11497: PH18L1-CS29SW01: ]
it does not work.
But when i using :%{unp:hahha} and input: ]
it does work!
And shows:
hahha:" ]"
Is there anyone encounter the same issue ?
Why is unp anchored? Does 'unp \s{1}]' work?
this is just a arbitrary name .
'unp \s{1}]' yes , is does work, because i can match the string “ ]” successfully if i only input " ]".
But what makes me confused is that when i combine the {SYSLOGHOST:origin_hostname},it doesn't work..
^\s{1}]$ is anchored at both ends. It matches start-of-line, whitespace, right bracket, end-of-line. Remove the anchors and \s{1}] will match whitespace right bracket even in the middle of a line.
still the same,
Now my input message is like as below:
<189>11754: PH18L1-CS29SW01: ]: Oct 19 15:42:00.422 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/7, changed state to up
My pattern is like:
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{SYSLOGHOST:origin_hostname}:%{UNP:HHA}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}: %%{WORD:facility}-%{INT:severity}-%{WORD:mnemonic}: %{GREEDYDATA:msg}
And i defined my UNP as "(\s{1}])" or "(\s{1}])",it doesn't work!
But when i changed the input as " ]"
and change the pattern to %{UNP:TEST}
It does work.
I think you can have a try
Right, but the problem is nothing to do with UNP. You can test that by matching the complete line against the pattern %{UNP:TEST}
The problem is that CISCOTIMESTAMP does not consume the timezone.
correct , i had found the reason,thank you
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.