Re: [graylog2] Extractor not running on inputs that should match
I've changed the grok pattern to include the end of the message and it
doesn't appear to have made any difference.
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
WORD:partition} has only %{POSINT:percent_free}\% free
I've since discovered that there are other extractors on the same input
which aren't extracting:
message: ip-10-244-56-13 tmm6[11383]: Rule /Common/iRules-WebServices-
Sandbox-Production-WhiteList : 166.84.7.123 is not
permitted to WebServices Sandbox
grok: %{HOSTNAME:source_unit} tmm%{GREEDYDATA:UNWANTED}: Rule %{UNIXPATH:
irule} : %{IP:source_address} is not permitted to %{
GREEDYDATA:service}
Using the "Try" button on the extractor edit page, it all works as
expected, but new incoming messages do not show any of the additional
fields.
I've restarted the service using graylog-ctl, deleted the extractors and
recreated them, but no change. Any ideas what else could be going on?
Thanks,
Phil
On Wednesday, 3 August 2016 09:55:10 UTC+1, Jan Doberstein wrote:
>
> Hi Phil,
>
>
> the Grok pattern need to match the hole line and in your case it does not.
>
> An example Grok pattern:
> %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
> WORD:partition} has only %{POSINT:percent_free}
>
> And an example input message:
> ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition var has only 12%
> free
>
>
> regards
> Jan
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ba51d376-e0c4-40c6-aeb1-da1f480a44a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Extractor not running on inputs that should match
Hi Phil,
the Grok pattern need to match the hole line and in your case it does not.
An example Grok pattern:
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition
%{WORD:partition} has only %{POSINT:percent_free}
And an example input message:
ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition
var
has
only 12% free
regards
Jan
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/etPan.57a1b169.483d4a3.37e%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using AMPGpg
[graylog2] Extractor not running on inputs that should match
I've set up some simple Grok extractors and tested that they match against
a sample of input messages in the Graylog interface, but when further
messages come in the extractors do not seem to "kick in", and the
additional fields that I see on other inputs with similar extractors don't
get added on. This was working at some point, but I deleted and recreated
the extractors for some reason I've now forgotten.
An example Grok pattern:
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{WORD:
partition} has only %{POSINT:percent_free}
And an example input message:
ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition var has only 12%
free
Below is an example of a message that came in after I updated the extractor:
I can't figure out what's going on here, am I missing something obvious?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ac14ada5-997c-4214-be14-c6dcc98996e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
