From string
""message" => "27.03.2018 07:53:39 [ERROR] at MyApp.Controllers.Controller.OnException: \nMessage: Controller exception!\nUser: TestUser \nHost: MyLaptop\n\nSystem.Exception: Testing\n at MyApp.Controllers.DoController.Do() in C:\\Users\\User\\Source\\Controllers\\DoController.cs:line 20\n at lambda_method(Closure , ControllerBase , Object[] )\n at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)\n""
I am trying to match the "\n User \n" and put it into new field called User. With gsub I can mutate it fine with the following conf:
mutate {
gsub => [
"message", "[\n]^User.*\n", "changed"
]
}
But putting that into grok results in grokparsefailure. How can I use that in grok?
I ended up with:
grok {
match => {
"message" => "User:%{GREEDYDATA:user}\n"
}
}
This seems to be matching everything between "User:" and "\n"