I have a logfile, I am parsing it with telegraf.logparser and then it sends it to influxdb. The problem is, my logfile has different fields in a complete string:
2016-12-06 11:13:34 job id: mHiMMDmCDFKDmGXNMhm, lrmsid: 13370
2016-12-06 11:14:34 job id: seeeeeewsda33rfddSD, lrmsid: 13371
2016-12-06 11:14:37 job id: dmABFKDmqKcNDmHBFKD, failure: "Timeout"
I can match single of that lines with
%{TIMESTAMP_ISO8601} job id: %{WORD:jobid}, lrmsid: {%WORD.lrmsid}
or
%{TIMESTAMP_ISO8601} job id: %{WORD:jobid}, failure: {%WORD.fail}
But how can I do it to get both .. so that if lrmsid is not set, it get lrmsid=null, and failure="Timeout".. and if lrmsid is set its lrmsid=12345 and failure=null
Please try this one:
(lrmsid: %{WORD:lrmsid})?(failure: "%{WORD:failure}")?
It should capture either lrmsid or failure if I have not missed anything