Df -h and regex

Hello everybody

Regex is a real headache for me.

I have this log from one of my server: Aug 23 12:30:01 vm-graylog root: /dev/mapper/cl-root 396G 220G 176G 56% /

I would like to extract the freespace information (176), i have already made a regular expression :
.?\d+.?\d+.?\d+.?\d+.?\d+.?\d+.*?(\d\d+) who “works” but it’s not a good solution because when i have same log like : Aug 23 12:30:01 eyesofnetwork root: /dev/mapper/eyesofnetwork-root 14G 3,8G 9,7G 28% / and i want to extract 9.7 or just 9 my regex doesn’t fonctionning…

I am searching for a long time a solution (by me or by other) but i didn’t find any good solution.

Do you have any tips, advices or solutions for me ?

Sorry for my bad english

Just my 2 cents, but using Grok patterns might be simpler in this case.

Thank you for the help

Is it possible to split log and just select information i need with grok pattern?

I haven’t make research on grok pattern yet because it sound complicated.

Thank you so much jochen for the advice, it works very well and for both df -h logs!

%{SYSLOGBASE}%{SPACE}%{PATH}%{SPACE}%{WORD}%{SPACE}%{PROG}%{SPACE}%{NUMBER:FreeSpace;int}
Meanwhile, my grok pattern doesn’t take number like numerical field even if i put “;int” at the end, is it a bug ?

To solve this i have made an other extractor, a copy input, and i converter my data in numerical, in order to make widget with good informations.

The “FreeSpace” field is probably a string in the Elasticsearch index mapping.

Check out http://docs.graylog.org/en/2.3/pages/configuration/elasticsearch.html#custom-index-mappings for information about custom index mappings.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.