Tried many way still fail. Thanks a lot for helping

filter {
grok {
match => {"message" => ["(?<message_date>^[0-9]+-[0-9]+-[0-9]+)%{SPACE}(?<message_time>[0-9]+:[0-9]+:[0-9]+)%{SPACE}(?<message_number>[0-9]+-[0-9]+)%{SPACE}%{WORD:message_type}%{SPACE}%{QS:main_message}"]}
}

 if "\:" in [message_main]
 {

grok {
match => {"message_main" => ["(?<process_name>(.+?):)(?<message_main2>(.+?)$)"]}
}
}
}

main_message= "44wwTSP:icscf2bb2.RtpAudMgr01: File: g:roup solidTraceFiles (path /var/RtpDb) is large: 152 MB"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.