#logstash

ho ok, but why in demo.kibana.org there is not @fields ?

vks: you will need to set negate to true ( so it does a grep -v ) and set drop to false . then you need to set the pattern to something you don't want parsing to happen.. and set add_tag to a tag. and let the other filters only react on that tag.

i had done that

need to verify once more

vks, okay. can you pastie/pastebin/gist your config so i can take a look?

ok

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

electrical

i am getting _grokparsefailure when TenantId: pattern is there

okay. in your first grep, you need to set drop to false.. because it defaults to true ( so it will drop the event )

sorry the case is same for drop => false

okay

looks all good then. could you also paste some example logs for both cases?

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

u can see the @tags

currently i am doing output to stdout

yeah. so its failing on the second part

which means after matching for first grep

it is going to match second one

and there it is getting _grokparsefailure

so how to deal with that??

yeah. but for some reason it doesn't match the grok pattern indeed. can you paste the whole log entry its failing on? ( ps. i need to leave in 10 minutes, but will be back online later )

electrical i am jar file directly and hadn't set any log file. Does logstash by default create the log file

vks, i mean part of the log you are trying to parse :-)

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

u can see the log output

if this is not the way then how we can match the multiple pattern

Does whack do sponsored development?

jonconley, how do you mean? sponsored development?

Similar to this: http://www.zabbix.com/development_services.php

Title: Homepage of Zabbix :: An Enterprise-Class Open Source Distributed Monitoring Solution (at www.zabbix.com)

So, if you want a feature, you spec it out, he tells you what he can/can't do and the cost.

Community can crowdsource it

Or a company can just foot the bill themselves, like mine

might be something he could consider but not sure.

and he is the sole developer correct? or 99% of the code is him?

he should be online in 2-4 hours or so. you can ask him

ok, thanks electrical

np

electrical any idea??

vks, not sure. will need to double check later when i'm home.

ok

thnx

please ping me when i'm online again later.

how can we deal with multiple pattern in logstash??

vks: what do you mean?

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

feylya

i had sent u conf file

what are you trying to achieve?

feylya: i am lookin for the word TenantId i need to use one grok pattern and if it is not there it had to use second grok pattern

bodik???

yes

vks: you can use multiple patterns in the same grok filter

can u explain a bit???

bodik: http://pastebin.com/nUFdEpq4

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

what needs to be explained?

my requirment is If the message has "TenantId" use pattern "XYZ" else if message has "ABC" use pattern "PQR" else use pattern "RTY" . U can have a look of on my conf file , how i have done

Title: grep { match => [ "@message", "TenantId:[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4 - Pastebin.com (at pastebin.com)

so what's not working?

"tenant_id":["c701192b-fcad-4378-995d-f9dc05747aa4"],"received_at":["2013-05-31T12:40:23.729Z"],

where's the problem ?

probably you mean where the _grokparsefail is comming from ?

so ?

what's the problem >/

?

bodik: yes _grokparsefailure is coming

and that also b'coz it try to parse the second pattern

does that matter?

test

vks: from that last grok

passwed

passed, too

cause filter without type, or exclude_tags or tags will handle every message

so if you want to have final else you probably need to make some exclustion or more add_tag-or-remove_tag--magic-here

imho, i've never done this yet

could be ?

New news from newjiraissues: Lynn Roth created LOGSTASH-835 - Issue with 1.1.8 on windows <https://logstash.jira.com/browse/LOGSTASH-835>;

hm