elasticsearch - Logstash not parsing multiple named capture groups -
i have started playing around logstash, elasticsearch , kibana visualisation of logs , experiencing problems.
i have log file being gathered logstash , want extract fields log entries before writing these elasticsearch.
i have define filter number of named capture groups in logstash config file @ point first of named capture groups matching.
my log file looks following:
[2014-01-31 12:00:00] [field1:somevalue] [field2:somevalue]
and logstash filter looks follwing:
if[type] == "mytype { grok { match => [ "message", "(?<timestamp>regex)", "message", "(?<field1>regex)", "message", "(?<field2>regex)" ] } }
i have verfied regexes fields correct when go kibana dashboard field1 , field2 not appearing.
if shed light on grateful.
thanks
kevin
grok's default behavior stop processing after first match.
you can change setting break_on_match
false:
if[type] == "mytype { grok { match => [ "message", "(?<timestamp>regex)", "message", "(?<field1>regex)", "message", "(?<field2>regex)" ] break_on_match => false } }
Comments
Post a Comment