Page 2 of 2
Re: Regex to filter out last column of a log
Posted: Thu Feb 27, 2020 10:17 am
by scottwilkerson
You would need to create a grok filter in the configuration as described in this document
https://assets.nagios.com/downloads/nag ... ilters.pdf
Then, when logs come in it will break the logs that match the filter into different fields instead of them all being in the message field
Re: Regex to filter out last column of a log
Posted: Fri Feb 28, 2020 6:02 pm
by tvoll
I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?
Re: Regex to filter out last column of a log
Posted: Mon Mar 02, 2020 7:56 am
by scottwilkerson
tvoll wrote:I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?
Sorry I didn't see your example, it would need to be something like this
Code: Select all
if [host] == '0.0.0.0' {
grok {
match => [ 'message', '%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT:IOUTIL}' ]
overwrite => [ 'message' ]
}
}
changing 0.0.0.0 to the host sending these messages
Re: Regex to filter out last column of a log
Posted: Mon Mar 02, 2020 10:35 am
by tvoll
scottwilkerson wrote:tvoll wrote:I tried that before and it still isn't working.
Look at the example I pasted in my prior post.
What did I do wrong?
Sorry I didn't see your example, it would need to be something like this
Code: Select all
if [host] == '0.0.0.0' {
grok {
match => [ 'message', '%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT} %{BASE16FLOAT:IOUTIL}' ]
overwrite => [ 'message' ]
}
}
changing 0.0.0.0 to the host sending these messages
I applied it, and it is still not working. It adds the IOUTIL Field, but when I filter by it, it shows that nothing has that result, and so it stays empty. Looking at individual results, the tag field has the entry "_grokparsefailure".
Re: Regex to filter out last column of a log
Posted: Mon Mar 02, 2020 10:49 am
by scottwilkerson
Actually, I think this line should be removed
We may need to see actual examples of these, if you still cannot get this to work, please open a ticket here and reference this thread
https://support.nagios.com/tickets/
Re: Regex to filter out last column of a log
Posted: Mon Mar 02, 2020 3:10 pm
by tvoll
scottwilkerson wrote:Actually, I think this line should be removed
We may need to see actual examples of these, if you still cannot get this to work, please open a ticket here and reference this thread
https://support.nagios.com/tickets/
Still no go.
Sent in a ticket on the matter.
Re: Regex to filter out last column of a log
Posted: Mon Mar 02, 2020 3:49 pm
by cdienger
Ticket received. We will close this thread and work through the ticket.