You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The pattern should take into account every singe character of your event, from the first one to the last one.
I think the correct term is "MUST take into account" because when I write a grok pattern, if it doesn't match all the characters, then the log is not parsed at all. Here are my tests.
Data sent to grok pattern : Microsoft-Windows-Kernel-General:24 S-1-5-19 (0 240 2 0 0)
Functional grok pattern : %{DATA:source}:%{NUMBER:event_id} %{DATA:sid} %{DATA:data}. The last DATA item matchs every remaining character.
Non-functional grok pattern : %{DATA:source}:%{NUMBER:event_id}. No element matches all remaining characters and no parsed field is displayed in the right-hand “Test your parser” panel.
The text was updated successfully, but these errors were encountered:
Hello,
I think there is an error on the page "How to write a parser" in the section "Grok". The documentation says :
I think the correct term is "MUST take into account" because when I write a grok pattern, if it doesn't match all the characters, then the log is not parsed at all. Here are my tests.
Data sent to grok pattern :
Microsoft-Windows-Kernel-General:24 S-1-5-19 (0 240 2 0 0)Functional grok pattern :
%{DATA:source}:%{NUMBER:event_id} %{DATA:sid} %{DATA:data}. The last DATA item matchs every remaining character.Non-functional grok pattern :
%{DATA:source}:%{NUMBER:event_id}. No element matches all remaining characters and no parsed field is displayed in the right-hand “Test your parser” panel.The text was updated successfully, but these errors were encountered: