So I have a fresh logstash install and I am trying to deploy logstash to get a handle on the logs.
I am going through and will eventually segment the logstash filters based on subsystem and currently I am working on parsing osd logs.
Here is a sample line I am working with:
2015-06-02 16:45:49.515277 7f4968cfe700 0 -- 10.16.64.68:6813/97613 >> 10.16.64.29:6805/35260 pipe(0x25e36500 sd=538 :6813 s=2 pgs=15426 cs=623 l=0 c=0x1586fa20).fault with nothing to send, going to standby
My filter currently looks like this:
%{TIMESTAMP_ISO8601:date} %{BASE16FLOAT:osd_epoch} %{NUMBER:error_bool} -- %{CEPH_HOST:client_A} %{FROMTO} %{CEPH_HOST:client_B}
Where ${CEPH_HOST} and ${FROMTO} are just short patterns ::
FROMTO (?:[<|>]){1,2}
CEPH_HOST (%{IPORHOST:ip}\:%{POSINT:port}/%{POSINT:socket})
The issue is that IP now seems to house two addresses.
"client_A": [
[
"10.16.64.68:6813/97613"
]
],
"ip": [
[
"10.16.64.68",
"10.16.64.29"
]
],
"HOSTNAME": [
[
"10.16.64.68",
"10.16.64.29"
I would like to grok it so that client_a
has an IP and client_b
has an IP.
However, does it matter in the end?
Can I leave it as is?
If so, will I be able to sort it later? If not, how do I segment it so that client_a
and client_b
are separated?
Do I need to create a "unique" pattern for both?