You're welcome. I did just spot an error I made in the examples... the time pattern has a decimal point in it, and that will need to be escaped in all of the patterns that use contain that field.
threadid: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+s(\d+)\s+\d+\s+ should be threadid: ^.+\s\d\d:\d\d:\d\d\.\d+\s\d+s(\d+)\s+\d+\s+ On Mon, Feb 1, 2016 at 3:05 PM, Mehmet Ali Büyükkarakaş < [email protected]> wrote: > Joi thank you so much. :) > > On Mon, Feb 1, 2016 at 10:18 PM, Joi Owen <[email protected]> wrote: > >> This is the sort of thing that can take some trial and error to get >> perfect, and I doubt anyone on this list has messages of exactly this >> format hitting their own servers, so it will be hard for us to give you >> proven tested-and-good answers, we can only point you in the right >> direction. >> >> You need a different rule for each variable you wish to create. If every >> message in your log is of this form, you could start with something like: >> (in some places I use a \s instead of a space just in case your mail >> client reformats the strings and makes things even more confusing.) >> >> sourceserver: ^(.+)\s\d+/\d+/20\d\d\s+ >> date: ^.+\s(\d+/\d+/20\d+) >> time: ^.+\s(\d\d:\d\d:\d\d\.\d+ ) >> pid: ^.+\s\d\d:\d\d:\d\d.\d+\s(\d+) \d+ >> threadid: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+s(\d+)\s+\d+\s+ >> seq: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+(\d+)\s+ >> seq: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+(\d+) >> messageid: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+\d+\s+(\d)\s+ >> Message: ^.+\s\d\d:\d\d:\d\d.\d+\s\d+\s\d+\s+\d+\s+\d+\s+\d+\s+\d\s+(.+) >> >> None of this is tested, this is just what my first attempts would be. >> And the graylog help page really is the best place to start if you don't >> have any working examples to study. >> >> It really does help build regexp if the input has something that will be >> consistently recognizable. In your sample, the only fields that are easy >> to key on are the source field (because it comes first) the date field >> (because it contains /) and the time field (because it contains : and . >> between the digits.) All the rest are just counting field so of digits and >> capturing the correct one for each variable. >> >> >> >> >> On Mon, Feb 1, 2016 at 1:46 PM, Mehmet Ali Büyükkarakaş < >> [email protected]> wrote: >> >>> Hello everybody, >>> >>> I have a log like this from Doubletake for Linux. >>> >>> bl-db01 02/01/2016 21:16:53.000000 14762 140124060886784 52 2 0 Total >>> number of pauses: 0 >>> >>> The fields should be >>> sourceserver, date, time, PID, ThreadID, SequenceNumber, Severity, >>> MessageID, Message >>> >>> I want to put this raw syslog msg to fields and index in Graylog. >>> Could you help me please to solve it quickly ? >>> >>> And how can I learn to convert these raw msgs and put into fields of >>> graylog ? I have some resources about RegEx but using regex into graylog is >>> not clear for me. (Dont redirect me to graylog help page, please) >>> Thank you in advance. >>> >>> Mehmet >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/10e8f9c2-ed14-4583-bf99-977748f24b13%40googlegroups.com >>> <https://groups.google.com/d/msgid/graylog2/10e8f9c2-ed14-4583-bf99-977748f24b13%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> >> No matter what we think of Linux versus FreeBSD, etc., the one thing I >> really like about Linux is that it has Microsoft worried. Anything >> that kicks a monopoly in the pants has got to be good for something. >> - Chris Johnson >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Graylog Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/graylog2/B-Uv3787TmE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/CAL5rfGW198fvX0B%2BZ-Gy2D%3D_WyYqKWAwX9yaDeYses9WUiwayg%40mail.gmail.com >> <https://groups.google.com/d/msgid/graylog2/CAL5rfGW198fvX0B%2BZ-Gy2D%3D_WyYqKWAwX9yaDeYses9WUiwayg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > > ------------------------------------------------------------------------------------------------- > Alice - "Bana hangi yoldan gitmem gerektigini söyler misin?" > "Bu neyi istedigine ve neye ulasmaya çalistigina bagli" dedi kedi > "Sey, bilmem ki ??? " dedi Alice > "O zaman hangi yoldan gittigin farketmez" dedi kedi. > > Alice Harikalar Diyarinda > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/CACv48hCHPS9t7Wis9_4fK5Lrz%2BNxYPdbQQMtqv7SSp3MWvWCRw%40mail.gmail.com > <https://groups.google.com/d/msgid/graylog2/CACv48hCHPS9t7Wis9_4fK5Lrz%2BNxYPdbQQMtqv7SSp3MWvWCRw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGVFqXYvDSSHNn8mhL%3DW9so8pURQumr22hHkRYxuL-vcZw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
