This is the sort of thing that can take some trial and error to get perfect, and I doubt anyone on this list has messages of exactly this format hitting their own servers, so it will be hard for us to give you proven tested-and-good answers, we can only point you in the right direction.
You need a different rule for each variable you wish to create. If every message in your log is of this form, you could start with something like: (in some places I use a \s instead of a space just in case your mail client reformats the strings and makes things even more confusing.) sourceserver: ^(.+)\s\d+/\d+/20\d\d\s+ date: ^.+\s(\d+/\d+/20\d+) time: ^.+\s(\d\d:\d\d:\d\d\.\d+ ) pid: ^.+\s\d\d:\d\d:\d\d.\d+\s(\d+) \d+ threadid: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+s(\d+)\s+\d+\s+ seq: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+(\d+)\s+ seq: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+(\d+) messageid: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+\d+\s+(\d)\s+ Message: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+\d+\s+\d\s+(.+) None of this is tested, this is just what my first attempts would be. And the graylog help page really is the best place to start if you don't have any working examples to study. It really does help build regexp if the input has something that will be consistently recognizable. In your sample, the only fields that are easy to key on are the source field (because it comes first) the date field (because it contains /) and the time field (because it contains : and . between the digits.) All the rest are just counting field so of digits and capturing the correct one for each variable. On Mon, Feb 1, 2016 at 1:46 PM, Mehmet Ali Büyükkarakaş < [email protected]> wrote: > Hello everybody, > > I have a log like this from Doubletake for Linux. > > bl-db01 02/01/2016 21:16:53.000000 14762 140124060886784 52 2 0 Total > number of pauses: 0 > > The fields should be > sourceserver, date, time, PID, ThreadID, SequenceNumber, Severity, > MessageID, Message > > I want to put this raw syslog msg to fields and index in Graylog. > Could you help me please to solve it quickly ? > > And how can I learn to convert these raw msgs and put into fields of > graylog ? I have some resources about RegEx but using regex into graylog is > not clear for me. (Dont redirect me to graylog help page, please) > Thank you in advance. > > Mehmet > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/10e8f9c2-ed14-4583-bf99-977748f24b13%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/10e8f9c2-ed14-4583-bf99-977748f24b13%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGW198fvX0B%2BZ-Gy2D%3D_WyYqKWAwX9yaDeYses9WUiwayg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
