I've changed the grok pattern to include the end of the message and it
doesn't appear to have made any difference.
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
WORD:partition} has only %{POSINT:percent_free}\% free
I've since discovered that there are other extractors on the same input
which aren't extracting:
message: ip-10-244-56-13 tmm6[11383]: Rule /Common/iRules-WebServices-
Sandbox-Production-WhiteList <CLIENT_ACCEPTED>: 166.84.7.123 is not
permitted to WebServices Sandbox
grok: %{HOSTNAME:source_unit} tmm%{GREEDYDATA:UNWANTED}: Rule %{UNIXPATH:
irule} <CLIENT_ACCEPTED>: %{IP:source_address} is not permitted to %{
GREEDYDATA:service}
Using the "Try" button on the extractor edit page, it all works as
expected, but new incoming messages do not show any of the additional
fields.
I've restarted the service using graylog-ctl, deleted the extractors and
recreated them, but no change. Any ideas what else could be going on?
Thanks,
Phil
On Wednesday, 3 August 2016 09:55:10 UTC+1, Jan Doberstein wrote:
>
> Hi Phil,
>
>
> the Grok pattern need to match the hole line and in your case it does not.
>
> An example Grok pattern:
> %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
> WORD:partition} has only %{POSINT:percent_free}
>
> And an example input message:
> ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition var has only 12%
> free
>
>
> regards
> Jan
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ba51d376-e0c4-40c6-aeb1-da1f480a44a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
