I want to Grok two different fields such as the email addresses and the IP.
I am doing the following:
grok {match => [ "message", "%{EMAILADDRESS:username_client}" %{IP:client_ip} ]}
The first bit is fine however the
%{IP:client_ip}
is wrong. The "message" is basically mixed such as:
Whatever whatever 200 300 100 [email protected] whatever whatever IP (or something similar)
You may specify any 0 or more characters pattern with .* (greedy version, use if the IP is at the end of the line) or .*? (lazy version, use if there are few chars between the email and IP) and put it in between the 2 grok patterns:
"%{EMAILADDRESS:username_client}.*%{IP:client_ip}"
^^