So I have a collection of Grok patterns, things like:
...
# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
PROG (?:[\w._/%-]+)
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
SYSLOGHOST %{IPORHOST}
SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}
...
The grok patterns themselves don't matter, those work fine. What doesn't
work is extracting these into fields. So I create an extractor like this:
Type: grok
Field: full_message
Pattern: %{SYSLOGPROG:syslogprog}: msg_id=%{QUOTEDSTRING:msg_id}
%{WORD:result}
I test the pattern and get matches as I expect
msg_id3000-0148programfirewallresultAllowsyslogprogfirewall
I save the extractor and wait for messages to flow in. But those fields are
never extracted when I search for them.
I'm sure I'm omitting something obvious. Any ideas?
Thanks!
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
