grok filter for logstash
Question
My log file has lines of the form:
10/13 14:05:18.192 [modulename]: [pid]: (debug level string): message string XYZ:<xyz value>
where
-
modulenameis a string -
pidis an integer number -
debug level stringis a string like "debug" or "info" or "error" -
message stringis a string -
xyz valueis an integer number
example:
10/13 14:05:18.192 [MyModule]: [12345]: (debug): This is my message. XYZ: 987
I searched around and tried a few things, but am getting _grokparsefailure . Can someone help show me what filter I can use in logstash to parse these logs?
1 answers
solution1
0 2014-10-15 22:37:54
First of all {GREEDYDATA} means until the end of a logging event. So, all the text that resides after dbg_lvl will be assigned to {GREEDYDATA}
Here, try the following code. The problem with your code filter was it was not able to parse anything after msg . Hope this helps.
(?<date>\\d\\d/\\d\\d) %{TIME:time} \\[%{WORD:module}\\]: \\[%{WORD:pid}\\]: \\(%{WORD:log_level}\\): %{CISCO_REASON}. %{WORD}: %{BASE10NUM:xyz_number}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.