Which of the log messages below matches the following Logstash grok filter? grok { match => ["message", "%{SYSLOGBASE} new node %{IPORHOST:node}" ]
}
Which of the log messages below matches the following Logstash grok filter? grok { match => ["message", "%{SYSLOGBASE} new node %{IPORHOST:node}" ]
}
The grok filter uses %{SYSLOGBASE} to match the syslog prefix which includes the timestamp, host, process, and optionally the process ID, followed by 'new node' and then an IP or hostname matched by %{IPORHOST:node}. Option B fits this pattern perfectly with the structure 'Jun 30 00:36:49 headnode clustermanager[12353]: new node 198.51.100.103', matching SYSLOGBASE and extracting the '198.51.100.103' into the 'node' field.
The correct answer is B the filter: %{SYSLOGBASE} new node %{IPORHOST:node} will match B: Jun 30 00:36:49 headnode clustermanager[12353]: new node 198.51.100.103 and result in the following fields: SYSLOGBASE: Jun 30 00:36:49 headnode clustermanager[12353]: node: 198.51.100.103
https://discuss.elastic.co/t/what-does-the-field-in-grok-message-do/2253/2
Correct is B