I was having a similar issue with my router and switches and I found this tutorial which really helped me to be able to extract the information i needed. You can also lookup extractors on the graylog market place as well to help you accomplish this. https://www.youtube.com/watch?v=DEReadkHf2Y
On Wednesday, August 3, 2016 at 4:17:58 PM UTC-4, [email protected] wrote: > > An example log entry Iis: > > {"datetime":"2016-08-03T18:47:45.2747784Z","level":"Debug","name": > "Platform.Data.InstanceProvider","message":"InstanceProvider(ce553f62-f207-41db-aa3d-6d3f74b18df4) > > returned the cached instance.", "requesterIp":"","threadid":"32"} > > And the entire thing is put under the message field. I want fields for > Date, Level, Name, Message, RequesterIp, and Threadid. I see that I cannot > cut from the message so I've tried GROK parsing with copy. > > %{YEAR}[-]%{MONTHNUM2}[-]%{MONTHDAY}[T]%{HOUR}[:]%{MINUTE}[:]%{SECOND} > > but I cannot get beyond that. I've tried continuing with > [,]%{WORD:name}[,]%{WORD:message} > > but it fails. Any suggestions on how I can continue on for the remaining > fields? Or is GROK not the optimal way to parse? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/27445282-00a6-4b56-95b5-fb941d5547aa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
