Grok pattern (?(.|\r|\n)) doesn’t work with large messages
if I have large message and use Grok pattern (?(.|\r|\n)) then get mistake
But the given string is not a grok pattern - that is a regex, without any grok part.
What is a large message for you?
For example, my message have 6500 characters. I want to break it up on the date and all the rest
<%{DATA:time}>(?message>(.|\r|\n)*). I have error.Could you tell me how decide this problem?
I want to break it up on the date and all the rest
For me, it is not clear what you want todo on what kind of data. Sorry, you might want to rephrase your question and provide more/additional information.
Timestamp is different from time of log. I want to do a time search in the logs. I can do it using grok pattern
<%{DATA:time}>%{SPACE}<%{GREEDYDATA:message}
but GREEDYDATA gives me an incomplete message so I use
(?<message(.|\r|\n)*)
Maybe there is another way. I don’t know
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.