从日志字符串中删除“ms”并转换为 INT 的 Grok 模式

Question

first time long time.

I have this log message:

2022/05/04 09:24:08 INTERESTING UpdateStatus: active: 45 waiting: 0 connections: 91 max dbcmd queue length: 3 max dbcmd response time: 19ms cmds processed: 6 nacks: 0 nresent: 0

I have this grok pattern to parse it:

%{DATE} %{TIME} %{WORD:log_level} %{WORD:update_status}: active: %{INT:active} waiting: %{INT:waiting} connections: %{INT:connections} max dbcmd queue length: %{NUMBER:max_dbcmd_queue_length} max dbcmd response time: %{WORD:max_dbcmd_response_time} cmds processed: %{NUMBER:cmds_processed} nacks: %{NUMBER:nacks} nresent: %{NUMBER:nresent}

All is ok and great except for one thing,

This value I would like to extract the response time and graph the int (19).

max dbcmd response time: 19ms

But the only way I can get grok to be happy is to make it a WORD because of the "ms".

max dbcmd response time: %{WORD:max_dbcmd_response_time}

I really want 19 to be an INT and I can't figure out how to remove or ignore the "ms" tagged to the end of the number "19ms".

Answer 1

You can use INT but then you need to add ms or \w* after the pattern part:

%{INT:max_dbcmd_response_time}ms
%{INT:max_dbcmd_response_time}\w*

The full pattern:

%{DATE} %{TIME} %{WORD:log_level} %{WORD:update_status}: active: %{INT:active} waiting: %{INT:waiting} connections: %{INT:connections} max dbcmd queue length: %{NUMBER:max_dbcmd_queue_length} max dbcmd response time: %{INT:max_dbcmd_response_time}ms cmds processed: %{NUMBER:cmds_processed} nacks: %{NUMBER:nacks} nresent: %{NUMBER:nresent}

Or

%{DATE} %{TIME} %{WORD:log_level} %{WORD:update_status}: active: %{INT:active} waiting: %{INT:waiting} connections: %{INT:connections} max dbcmd queue length: %{NUMBER:max_dbcmd_queue_length} max dbcmd response time: %{INT:max_dbcmd_response_time}\w* cmds processed: %{NUMBER:cmds_processed} nacks: %{NUMBER:nacks} nresent: %{NUMBER:nresent}