Jim February 2016

logstash split message from log4net into two fields

We are new to using logstash and are parsing log4net messages. In the message field currently we have a string output as

Some random application name - Some random message

I tried to use the gsub => ["message", "-", "App Name"] but it just changed the string and not add it as a new field. What is the best way to get the application name as a new field and remove it from the message field?

Thank you in advanced for your help.

Answers


Alain Collins February 2016

How about grok{} with this pattern:

   %{DATA:app} - %{GREEDYDATA:otherStuff}

Post Status

Asked in February 2016
Viewed 3,417 times
Voted 7
Answered 1 times

Search




Leave an answer