grok_change

commit a621a043beecc78157cb8f1c54dd61054b003537
Author: Jian Chen <[email protected]>
Date:   Mon Jun 20 20:26:22 2016 +0800

    improve prism message grok pattern

diff --git a/metadata.rb b/metadata.rb
index 3711cf5..8663ad9 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email '[email protected]'
 license          'All rights reserved'
 description      'Installs/Configures logstash'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.8.7'
+version          '0.8.8'

 depends "bluepill", ">= 2.3.0"
 depends "syslog-ng"
diff --git a/templates/default/indexer.json.erb b/templates/default/indexer.json.erb
index 0eb6992..c107492 100644
--- a/templates/default/indexer.json.erb
+++ b/templates/default/indexer.json.erb
@@ -139,7 +139,7 @@ filter {
       patterns_dir => "/etc/logstash/patterns"
       break_on_match => true
       match => [
-        "message" , "(?:%{INT:account_id:int})?/(?:%{INT:app_id:int})?/(?:%{D:session_guid})?/(?:%{D:session_number})?/%{D}/(?:%{D:call_id})?/\[%{D:thread_id}\]/(?:%{PRISM_TYPE:prism_type})?%{GD:log_msg}",
+        "message" , "(?:%{INT:account_id:int})?/(?:%{INT:app_id:int})?/(?:%{S_ID:session_guid})?/(?:%{S_ID:session_number})?/%{SSDD}/(?:%{D:call_id})?/\[%{D:thread_id}\]/(?:%{PRISM_TYPE:prism_type})?%{GD:log_msg}",
         "message" , "%{D:app} %{GD:log_msg}",
         "message" , "%{GD:log_msg}"
       ]
diff --git a/templates/default/prism.erb b/templates/default/prism.erb
index 5b74298..4add2af 100644
--- a/templates/default/prism.erb
+++ b/templates/default/prism.erb
@@ -2,6 +2,8 @@
 Q ("){1}
 GD %{GREEDYDATA}
 D %{DATA}
+S_ID [0-9a-z]{32}
+SSDD [0-9a-z]{1,32}

 ## Had to add the extra whitespace check on millisecs, because pgw- logs are actin a fool
 SECOND (?:(?:[0-5][0-9]|60)(?:\s?[.,][0-9]+)?)