Reputation: 622
Pattern failure with grok due a longer integer in a column
I have used grok debugger to get the top format working and it is being seen fine by elasticsearch. Eventually, when a log line like the one below hit it shoots out a tag with "grokparsefailure" due to the extra space before each integer (I'm assuming). Is there a tag I can use to accept anything no matter how long or short for each column?
0000003B 2015-03-14 07:46:14.618 16117 16121
00000DA1 2015-03-14 07:45:54.609 6382 6382
Upvotes: 0
Views: 331
Answers (3)
Reputation: 46
It's also possible to use the built in logstash pattern %{SPACE} to match any number of whitespace characters.
%{INT:num1}%{SPACE}%{INT:num2}
Upvotes: 1
Reputation: 622
I ended up doing a custom filter since I knew my values were between 4-5 characters and then used patterns_dir => "./patterns" in my conf file.
_ID [0-9A-F]{4,5}
_ID2 [0-9A-F]{4,5}
UPDATE*****
my solution did not work because the number can be anywhere from 3 to 6 characters. The easier solution was provided above. Marked as answer.
Upvotes: 0
Related Questions
- ElasticSearch Grok Pattern issue for Custom Log String
- grok not parsing logs
- logstash grok issue while filtering data
- Grok filter for logstash to match a specific value from a log file
- Logstash GROK parsing of variable length set of key/value pairs
- Logstash Grok get number field
- Logstash Grok Parsing Issue
- grok filter for log pattern
- Logstash, grok filter not working for fixed length fields
- Logstash not matching the pattern