I'm having the same problem. Have you had any luck?
On Wednesday, August 3, 2016 at 4:17:58 PM UTC-4, [email protected] wrote: > > An example log entry Iis: > > {"datetime":"2016-08-03T18:47:45.2747784Z","level":"Debug","name": > "Platform.Data.InstanceProvider","message":"InstanceProvider(ce553f62-f207-41db-aa3d-6d3f74b18df4) > > returned the cached instance.", "requesterIp":"","threadid":"32"} > > And the entire thing is put under the message field. I want fields for > Date, Level, Name, Message, RequesterIp, and Threadid. I see that I cannot > cut from the message so I've tried GROK parsing with copy. > > %{YEAR}[-]%{MONTHNUM2}[-]%{MONTHDAY}[T]%{HOUR}[:]%{MINUTE}[:]%{SECOND} > > but I cannot get beyond that. I've tried continuing with > [,]%{WORD:name}[,]%{WORD:message} > > but it fails. Any suggestions on how I can continue on for the remaining > fields? Or is GROK not the optimal way to parse? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b3c18979-b3f0-4200-a3c3-14a00ee81fa8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
