Hi, my issue started with parsing simple log via Graylog GROK parser. In my "full_message" field I have following content (btw, MS SQL error log line): 2016-04-11 13:22:15.33 Server Using dynamic lock allocation. Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node. This is an informational message only. No user action is required.
In the first step I would like to get 3 fields, e.g.: timestamp, type, content 1. First, I normally test my grok attempts via http://grokdebug.herokuapp.com/. In that case my grok was as follows: %{TIMESTAMP_ISO8601:timestamp} %{DATA:type} +%{GREEDYDATA:content} Result (with "Named Captures Only" checked) is as expected: { "timestamp": [ [ "2016-04-11 13:22:15.33" ] ], "type": [ [ "Server" ] ], "content": [ [ "Using dynamic lock allocation. Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node. This is an informational message only. No user action is required." ] ] } 2. I apply successful testing pattern from Grokdebug to Graylog GROK extractor for given field But in this case I received Graylog error message: "We were not able to run the grok extraction. Please check your parameters." 3. Then I checked this discussion group, but no relevant answers found. I also followed some advices e.g. to replace original Graylog grok patterns with following ones: https://raw.githubusercontent.com/logstash-plugins/logstash-patterns-core/master/patterns/grok-patterns. But with the same result. The testing was executed on my production Graylog setup (2.0) and on latest Graylog appliance/OVA with the same results. My questions: 0. Am I missing any elementary fact about GROK processing, GROK processing in Graylog, differences in flavours of GROK language, pattern set in Graylog? 1. Do Graylog and Grokdebug normally produce same results? 2. What is your testing/troubleshooting procedure for new GROK patterns? 3. What should I check to solve my issue (specific java setting, some suspicious record in Graylog server log, ...)? Thanks, Nimmie -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/163c5150-d1fe-4c80-bc38-d4aea70afd2a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
