N3x
Reputation: 54
getting rid of colon in grok
Basically I was setting up an Elasticsearch-Logstash-Kibana (elk) stack for monitoring syslogs. Now I have to write the grok pattern for logstash.
Here's an example of my log:
May 8 15:14:50 tileserver systemd[25780]: Startup finished in 29ms.
And that's my pattern (yet):
%{SYSLOGTIMESTAMP:zeit} %{HOSTNAME:host} %{SYSLOGPROG:program}
Usually I'm also using %{DATA:text} for the message but it just works on the link below.
I'm using Test grok patterns to test my patterns and these 3 work fine but there's the colon (from after PID) in front of the message and I don't want it to be there. How do I get rid of it?
Upvotes: 0
Views: 1641
Answers (1)
LinPy
Reputation: 18618
try this:
%{SYSLOGTIMESTAMP:zeit} %{HOSTNAME:host} %{GREEDYDATA:syslog_process}(:) %{GREEDYDATA:message}
Upvotes: 2
Related Questions
- Grok Parsing Failure in logstash with Pattern That Includes Square Brackets
- Logstash grok square brackets
- grok parsing issue
- How to remove "\" in logstash?
- Need to shorten Grok Pattern
- Logstash grok for special character
- Logstash grok pattern issue
- Two different syntax in grok
- String all characters in grok
- Logstash Grok parser