Regex to filter out last column of a log

scottwilkerson · Post by **scottwilkerson** » Thu Feb 27, 2020 10:17 am

You would need to create a grok filter in the configuration as described in this document
https://assets.nagios.com/downloads/nag ... ilters.pdf

Then, when logs come in it will break the logs that match the filter into different fields instead of them all being in the message field

tvoll · Post by **tvoll** » Fri Feb 28, 2020 6:02 pm

I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?

scottwilkerson · Post by **scottwilkerson** » Mon Mar 02, 2020 7:56 am

tvoll wrote:I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?

Sorry I didn't see your example, it would need to be something like this

Code: Select all

if [host] == '0.0.0.0' {
    grok {
        match => [ 'message', '%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT:IOUTIL}' ]
        overwrite => [ 'message' ]
    }
}

changing 0.0.0.0 to the host sending these messages

tvoll · Post by **tvoll** » Mon Mar 02, 2020 10:35 am

scottwilkerson wrote:
tvoll wrote:I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?
Sorry I didn't see your example, it would need to be something like this
Code: Select all
if [host] == '0.0.0.0' {
    grok {
        match => [ 'message', '%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT:IOUTIL}' ]
        overwrite => [ 'message' ]
    }
}
changing 0.0.0.0 to the host sending these messages

I applied it, and it is still not working. It adds the IOUTIL Field, but when I filter by it, it shows that nothing has that result, and so it stays empty. Looking at individual results, the tag field has the entry "_grokparsefailure".

scottwilkerson · Post by **scottwilkerson** » Mon Mar 02, 2020 10:49 am

Actually, I think this line should be removed

Code: Select all

overwrite => [ 'message' ]

We may need to see actual examples of these, if you still cannot get this to work, please open a ticket here and reference this thread
https://support.nagios.com/tickets/

tvoll · Post by **tvoll** » Mon Mar 02, 2020 3:10 pm

scottwilkerson wrote:Actually, I think this line should be removed
Code: Select all
overwrite => [ 'message' ]
We may need to see actual examples of these, if you still cannot get this to work, please open a ticket here and reference this thread
https://support.nagios.com/tickets/

Still no go.
Sent in a ticket on the matter.

Post by **cdienger** » Mon Mar 02, 2020 3:49 pm

Ticket received. We will close this thread and work through the ticket.

Nagios Support Forum

Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log

Re: Regex to filter out last column of a log