I've changed the grok pattern to include the end of the message and it doesn't appear to have made any difference. %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{ WORD:partition} has only %{POSINT:percent_free}\% free
I've since discovered that there are other extractors on the same input which aren't extracting: message: ip-10-244-56-13 tmm6[11383]: Rule /Common/iRules-WebServices- Sandbox-Production-WhiteList <CLIENT_ACCEPTED>: 166.84.7.123 is not permitted to WebServices Sandbox grok: %{HOSTNAME:source_unit} tmm%{GREEDYDATA:UNWANTED}: Rule %{UNIXPATH: irule} <CLIENT_ACCEPTED>: %{IP:source_address} is not permitted to %{ GREEDYDATA:service} Using the "Try" button on the extractor edit page, it all works as expected, but new incoming messages do not show any of the additional fields. I've restarted the service using graylog-ctl, deleted the extractors and recreated them, but no change. Any ideas what else could be going on? Thanks, Phil On Wednesday, 3 August 2016 09:55:10 UTC+1, Jan Doberstein wrote: > > Hi Phil, > > > the Grok pattern need to match the hole line and in your case it does not. > > An example Grok pattern: > %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{ > WORD:partition} has only %{POSINT:percent_free} > > And an example input message: > ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition var has only 12% > free > > > regards > Jan > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ba51d376-e0c4-40c6-aeb1-da1f480a44a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.