henrikjohansen
commented
5 years ago bump.
Open henrikjohansen opened 6 years ago
henrikjohansen
commented
5 years ago bump.
anagrius
commented
5 years ago Would not a grok function work?
Something like:
case {
foo | grok("%{CISCOTIMESTAMP:timestamp} %{HOST:host}");
bar | grok("%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}");
*;
}This would require configuring / uploading / editing for a collection of grok patterns.
Personally I think this would open the door to getting a LOT of existing parsers into humio.
@henrikjohansen @pmech @chvitved Thoughts?
pmech
commented
5 years ago That is how I perceive a solution as well. The main issue it to settle on a mechanism for uploading existing patterns, so this gets copied around the cluster.
mwl
commented
5 years ago I'm no fan of GROK and the current Java/jvm implementation aren't exactly great either. So I think we'll have a hard time actually achieving that with GROK.
anagrius
commented
5 years ago That is how I perceive a solution as well. The main issue it to settle on a mechanism for uploading existing patterns, so this gets copied around the cluster.
just use the Files view and use the same mechanism
dmitry-ee
commented
3 years ago +1 for this feature! Even if you are not a fan of Grok itself, it's much easier to find useful grok patterns for everything (like for java gc.log)
Event parsing is really the absolute weakest point in Humio ATM. You should consider adding grok (not because grok is the greatest thing in parsing) but because it would enable reuse of lots and lots of existing grok patterns.
Related to #16