Anyway: what is the semantic meaning of the first attribute of the match directive? "message" in my example? match match => {"message", "%{SYSLOGLINE}"}
magnumbonum: i've written what you're trying to to differently, i use (test %{GREEDYMESSAGE:messagefield}|test2 %{GREEDYMESSAGE:messagefield}|....)
magnumbonum
that is how i worked out the specific matches. The question is how the "message" attribute is constructed. When logstash eats the SYSLOGLINE statement, it correctly strips of the "header" from the syslogmessage, which is already added to the correct fields. My hope was that I could use several match statements to pick out more data, but still get the entire syslog message in "message" for easier log comprehension by the analyst.
Jarth: hmm lets see if I understand...
freezey_ has quit
pweaver_ has quit
chifas has quit
JohnnyRun joined the channel
ohlol has quit
kireevco has quit
you mean GREEDYDATA?
Jarth
ehr, yes, it's 9am here
;)
the only part which fails is detecting the variable part in the message
tombar has quit
saurajeetd joined the channel
tombar joined the channel
chifas joined the channel
magnumbonum: might it not be more preferable to just write your own extended patterns ?
tombar has quit
magnumbonum
yeah, might be. It's just that regexpes have a tendency to become "write once, understand never" for me ;-)
I was hoping for the multiple matches feature, which seems to be more straight forward for understanding what is configured.
lennartkoopmann joined the channel
Thanks a bunch Jarth, I will explore some more...
Jarth
magnumbonum: regex complexity is overrated, just use what you know, or document what you used in something you don't throw away easily
magnumbonum: i only use a regex to have patterns replaced, detected, also to have OR conditional filters
kroepke joined the channel
Tdey has quit
magnumbonum
I think what I want to do is to *not* have conditional filters - I want AND filters. First pick out the specific fields I am interested in, such as username or IP. Then store the entire message line.
TomasNunez1 joined the channel
jotterbot1234 has quit
What about using individual grok statements? First eat the entire message, store it properly. Then in an individual grok statement eat the specifc? Will give it a try.
gammalget joined the channel
tim|mint joined the channel
gauravarora_ joined the channel
gauravarora has quit
gauravarora_ is now known as gauravarora
lennartkoopmann has quit
Jarth
magnumbonum: afraid i'm too much of a n00b at logstash & grok to be of any real assistance
i only use the (..|..|..|) on the part that is not getting indexed
gauravarora has quit
gauravarora joined the channel
gammalget
Anyone here exporting/archiving logs for "logtime storage"?
Jarth has quit
Jarth joined the channel
Bastian1 joined the channel
cleaning up is easy with curator imho.. But now I'm looking to export/archive as txt.gzip or such..
codex0 joined the channel
magnumbonum
Jarth: figured out. I looked at the SYSLOGPAMSESSION which worked and does what I want, modified that and I am good to go!
Jarth
magnumbonum: great, will you upload the pattern as an extension to github M
?
papercode has quit
Gazzonyx has quit
gauravarora has quit
noperle has quit
noperle joined the channel
hatchetation has quit
neoice has quit
hatchetation joined the channel
dparker has quit
swc|666 has quit
FrozenFire has quit
kizzale_ has quit
neoice joined the channel
petracvv_ joined the channel
petracvv has quit
robawt has quit
kizzale joined the channel
dparker joined the channel
magnumbonum
sure. The patterns need a little work before they are ready for prime time... Any pointers on how to go about it? Fork it and push request?
FrozenFire joined the channel
freezey joined the channel
robawt joined the channel
tombar joined the channel
chifas has quit
swc|666 joined the channel
kroepke has quit
freezey has quit
aljohri has quit
tombar_ joined the channel
tombar has quit
koendc has quit
tombar_ has quit
aljohri joined the channel
tombar joined the channel
kroepke joined the channel
TomasNunez has quit
tombar has quit
aljohri has quit
riddopic joined the channel
wilmoore joined the channel
kroepke has quit
riddopic has quit
lennartkoopmann joined the channel
gauravarora joined the channel
lennartkoopmann has quit
Jarth
magnumbonum: clueless really, subscribe and upload for merge ?
AndroidLoverInSF has quit
kjstone00 joined the channel
magnumbonum: ask on this list what to do ? :)
orbit_darren has quit
orbit_darren joined the channel
goncalop joined the channel
aqquadro joined the channel
N-Mi joined the channel
habanero joined the channel
shub-niggurath joined the channel
digitalfx has quit
habanero_ has quit
ktosiek joined the channel
olebill joined the channel
ohlol joined the channel
shub-niggurath has quit
Matrix_ is now known as Matrix
Matrix has quit
Matrix joined the channel
ohlol has quit
ohlol joined the channel
freezey joined the channel
mikeybisbo joined the channel
ohlol has quit
freezey has quit
tombar joined the channel
NetScr1be has quit
tombar has quit
Bastux joined the channel
Muffin joined the channel
Muffin
hi!
NetScr1be joined the channel
i need some help with the imap plugin ... it causes to trash the logstash process
anyone running this plugin?
message=>"A plugin had an unrecoverable error. Will restart this plugin.\n Plugin: <LogStash::Inputs::IMAP host=>\"xxx.bla.net\", user=>\"blabla\", content_type=>\"text/plain\">\n Error: undefined method `encode' for nil:NilClass", :level=>:error}
wowi_ joined the channel
wowi_
Hi guys
I have some problems : I want to match some tags in the output section of logstash : I want to send a mail when there is a notification tag in the element. How can I do this ? I tried if "notification" in [tags] , if [tags] == "notification" , but no results... Help me Please