The logstash Grok is not working for us, maybe the format has changed in the logs?

[choffee]

I this line now that seems to work:

"message", "\[(?<RAS.Severity>[C|E|W|I|T|D]) (?<RAS.ModuleCode>[a-fA-F0-9]{2})/(?<RAS.ErrorCode>[a-fA-F0-9]{8})(/(?<RAS.ThreadID>[Ta-fA-F0-9]+)/(?<RAS.ProcessID>[P0-9A-F]+))*\] (?<RAS.LogTimestamp>(%{DATE_EU} %{TIME}|%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})) - %{GREEDYDATA:RAS.MessageText}",
Would be good if the RAS.MessageText could be split out a bit as well.

I also added a de_dot filter to make them into sub fields of the RAS object.

This of course would all be better dealt with as some sort of machine logging format from Parallels itself.

[noneharon]

Hi @choffee,
Unfortunatelly, it's impossible to split RAS.MessageText at the moment, but I'd like to discuss with you how you envision this split and what are your requirements. Don't you mind to have a short call and discuss this matter? find me on Linkedin: eugenekorepanov

As for the grok filter, I'll check and see what has happened there. Thanks for the info