I’ve set up an extractor and it seems to be working okay if I allow all fields:
See that if I don’t have “Show named fieds only” checked, then it shows everything, including my named fields chassis, pon, ont, olt, message, etc.
But if I check “Show named fields only”, while using the exact same grok pattern, it doesn’t show me all of my named fields:
thanks in advance.
what Graylog version did you use and can you reproduce that with a more simple pattern?
This was 2.4.6.
I tried breaking down some of the higher-level groks and found the culprit. I tried an external grok debugger and that successfully showed me only named captures: https://grokdebug.herokuapp.com/. I noticed that it also showed me some null values for date values:
"MONTHDAY": [
[
"14",
"14",
null
]
],
"YEAR": [
[
"2019",
"19",
null
]
],
I broke down my second %{DATE} into %{INT}/%{INT}/%{INT} and now named captures are working.
If anyone wants to run with this here is the string and filter to replicate:
Log entry:
<12>Jan 14 2019 11:45:06 172.18.248.1 272798,655099,01/14/19,11:45:06,GPON OLT,1,Alert,ONT Activated,0,1,0,2:3, 1-22
Not working:
<%{NUMBER}>%{ADTRANDATE} %{IPV4:chassis} %{NUMBER},%{NUMBER},%{DATE},%{TIME},%{DATA:module},%{NUMBER},%{DATA:level},%{DATA:message},%{NUMBER},%{NUMBER},%{NUMBER},%{INT:pon}:%{INT:ont}, %{INT}-%{INT:olt}
ADTRANDATE %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}
Working:
<%{NUMBER}>%{ADTRANDATE} %{IPV4:chassis} %{NUMBER},%{NUMBER},%{INT}/%{INT}/%{INT},%{TIME},%{DATA:module},%{NUMBER},%{DATA:level},%{DATA:message},%{NUMBER},%{NUMBER},%{NUMBER},%{INT:pon}:%{INT:ont}, %{INT}-%{INT:olt}This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.