If you’re lucky, most of your log messages in a given input will arrive in a standard format, typically with a set of common fields at the front (date, time, server, etc).<\/p>\n
Rather than multiple grok{} patterns that are looking across the entire message, like these:<\/p>\n
grok {\r\n match => [\"message\", \"%{SYSLOGTIMESTAMP:syslogtime} %{HOSTNAME:sysloghost} Save this %{WORD:word1}\"]\r\n tag_on_failure => [\"_grokparsefailure_match1\"]\r\n}\r\n\r\ngrok {\r\n match => [\"message\", \"%{SYSLOGTIMESTAMP:syslogtime} %{HOSTNAME:sysloghost} Save this other %{WORD:word2}\"]\r\n tag_on_failure => [\"_grokparsefailure_match2\"]\r\n}<\/pre>\nI like to split off the common stuff:<\/p>\n
grok {\r\n match => [\"message\", \"%{SYSLOGTIMESTAMP:syslogtime} %{HOSTNAME:sysloghost} %{GREEDYDATA:message}\"]\r\n overwrite => [ \"message\" ]\r\n tag_on_failure => [\"_grokparsefailure_syslog\"]\r\n}\r\n<\/pre>\nNote that the last pattern puts the results into the field “message”. \u00a0Since that field already exists, we have to use the “overwrite” setting to update it.<\/p>\n
Then use smaller patterns against this smaller “message” for your application specific info:<\/p>\n
grok {\r\n match => [\"message\", \"Save this %{WORD:word1}\"]\r\n tag_on_failure => [\"_grokparsefailure_match1\"]\r\n}\r\n<\/pre>\nThis is easier to read, and the later grok{}s will be running smaller regexps
\nagainst smaller input, which should be faster.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you’re lucky, most of your log messages in a given input will arrive in a standard format, typically with a set of common fields at the front (date, time, server, etc). Rather than multiple grok{} patterns that are looking … Continue reading