michaelcoyote/networker_daemonlog.conf

## networker_daemonlog.conf
# Basic dumb simple networker daemon log grok filter for the NetWorker daemon.log
filter {
    grok {
        patterns_dir => "./patterns"
        #
        # NetWorker logfiles have some unusual fields that include undocumented engineering codes and what not
        # time is in 12h format (ugh) so custom patterns need to be used.
        #  engcode1_Date&time in ampm format_engcode2_engcode3_engcode4_Parent Process ID_Process ID_engcode5_Process Host_Process Name_Everything else
        match => [ "message", "%{NUMBER:engcode1} %{DATESTAMP_12H:timestamp}  %{NUMBER:engcode2} %{NUMBER:engcode3} %{NUMBER:engcode4} %{NUMBER:ppid} %{NUMBER:pid} %{NUMBER:engcode5} %{WORD:processhost} %{WORD:processname} %{GREEDYDATA:daemon_message}" ]
    }
    # This is requred to set the time from the logline to the timestamp and not have it create it's own.
    # Note the use of the trailing 'a' to denote AM or PM.
    date {
        match => ["timestamp", "MM/dd/yyyy HH:mm:ss a"]
    }
    # attempt to find completed savesets and pull that info from the daemon_message field
    if [daemon_message] =~ /done\ saving\ to\ pool/  {
        grok {
            match => [
                # known issue: savehost will miss the hostname in a FQDN.
                "daemon_message", "%{WORD:savehost}\:%{GREEDYDATA:saveset} done saving to pool \'%{GREEDYDATA:pool}\' \(%{WORD:volume}\) %{NUMBER:ss_bytes_base} %{WORD:ss_multiplier}"
            ]
            add_field => [ "saveset_completed", "%{@timestamp}" ]
        }
        #ruby {
        #    code => [
        #    ]
        #}
    }
    # Pull out savegroup completions and parse out the client and group info.
    if [daemon_message] =~ /savegroup\ alert\:\ / {
        grok {
            break_on_match => true
            match => [
                "daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientsfailed} Failed\, %{NUMBER:sgclientssucceded} Succeeded",
                "daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientsfailed} Failed",
                "daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientssucceded} Succeeded"
            ]

        }
    }
}
	# Basic dumb simple networker daemon log grok filter for the NetWorker daemon.log
	filter {
	grok {
	patterns_dir => "./patterns"
	#
	# NetWorker logfiles have some unusual fields that include undocumented engineering codes and what not
	# time is in 12h format (ugh) so custom patterns need to be used.
	# engcode1_Date&time in ampm format_engcode2_engcode3_engcode4_Parent Process ID_Process ID_engcode5_Process Host_Process Name_Everything else
	match => [ "message", "%{NUMBER:engcode1} %{DATESTAMP_12H:timestamp} %{NUMBER:engcode2} %{NUMBER:engcode3} %{NUMBER:engcode4} %{NUMBER:ppid} %{NUMBER:pid} %{NUMBER:engcode5} %{WORD:processhost} %{WORD:processname} %{GREEDYDATA:daemon_message}" ]
	}
	# This is requred to set the time from the logline to the timestamp and not have it create it's own.
	# Note the use of the trailing 'a' to denote AM or PM.
	date {
	match => ["timestamp", "MM/dd/yyyy HH:mm:ss a"]
	}
	# attempt to find completed savesets and pull that info from the daemon_message field
	if [daemon_message] =~ /done\ saving\ to\ pool/ {
	grok {
	match => [
	# known issue: savehost will miss the hostname in a FQDN.
	"daemon_message", "%{WORD:savehost}\:%{GREEDYDATA:saveset} done saving to pool \'%{GREEDYDATA:pool}\' \(%{WORD:volume}\) %{NUMBER:ss_bytes_base} %{WORD:ss_multiplier}"
	]
	add_field => [ "saveset_completed", "%{@timestamp}" ]
	}
	#ruby {
	# code => [
	# ]
	#}
	}
	# Pull out savegroup completions and parse out the client and group info.
	if [daemon_message] =~ /savegroup\ alert\:\ / {
	grok {
	break_on_match => true
	match => [
	"daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientsfailed} Failed\, %{NUMBER:sgclientssucceded} Succeeded",
	"daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientsfailed} Failed",
	"daemon_message", "savegroup alert\: %{GREEDYDATA:savegroup} completed\, Total %{NUMBER:sgclientstotal} client\(s\)\, %{NUMBER:sgclientssucceded} Succeeded"
	]

	}
	}
	}