Hello there,
i'm freaking out on a problem sind 8 hours. i've tried literally everything
for now i think:
I have for example two messages ( the problem spreads way more variations
but this is a good example )
<180>2016-08-25T14:43:34.770Z ab0808.way.local vmkwarning:
cpu11:32879)WARNING: PageRetire: 650: Number of kernel MPNs selected for
retirement is 1
<27>2016-08-25T14:41:15Z ab0808.way.local sfcb-vmware_base[35986]: Timeout
(or other socket error) waiting for response from provider
Booth message comming from ESXi over syslog udp but that just aside. The
grok pattern i use is:
%{ESXI_SYSLOG5424PRI:UNWANTED}%{ESXI_SYSLOGBASE2:UNWANTED}
%{PROG}%{ESXI_PID}%{GREEDYDATA:message}
I have copied some patterns here all working. The problem pattern is
ESXI_PID - which should store a value in the "process_id" field. ESXI_PID
itself showing correct string BUT only the first "matching" INT storing the
field process_id correctly. The problem can be reproduced with all fields.
Even with unnamed fields like INT itself. Just use it in an OR pattern and
only one time will hit. If you switch the sides the correct will match but
INT is missing.
------------ cpu expression left, [ right -----------------------
--------------------------------------------------------------
ESXI_PID : cpu\d+:%{INT}\)|\[%{INT}\]
----------- 1. Message - all CORRECT----------
ESXI_PID
: cpu11:32879)INT
32879----------- 2. Message - ESXI_PID correct but missing INT ----------
ESXI_PID[35986]:-----------------------------------------------------
------------------------------------------------------
-------------------------------
------------ cpu expression right, [ left -----------------------
--------------------------------------------------------------
ESXI_PID : \[%{INT}\]|cpu\d+:%{INT}\)
----------- 1. Message - ESXI_PID correct but missing INT all
CORRECT----------
ESXI_PID
: cpu11:32879)----------- 2. Message - all CORRECT ----------
ESXI_PID[35986]:INT
35986
----------------------------------------------------------------------------
--------------------------------------------------------------
Hope someone gets the problem - i know i explained it a little complicated.
The thing is, this just happens in graylog. I tried it with 3 online grok
checkers an those giving me correct results. With booth messages outputting
INT ( or storing process_id ).
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/46ccab07-258e-4cd7-8269-e912034dd9a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
