basically I need to filter out Date - SEVERITY - JAVACLASSNAME - ERROR MESSAGE.
This is working for me..But its just half done. (?[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}) %{WORD:Severity}(?:%{GREEDYDATA:msg})
It doesnt show Javaclass..!
Here is the output I get
{ "Timestamp": [ [ "2015-03-03 03:12:16,978" ] ], "Severity": [ [ "INFO" ] ], "Error_Message": [ [ " [http-bio-16006-exec-71] [XYZ.ABC.JLM.app.task.ERT] [app:/saas reqid:23121221 jsid:* aid:* uid: org: vorg: un:] - Received to update queued for monitorId=54213213JBNJBSJBSJBS, worklow=8u298u2189u312, session=21684216814321" ] ] }
LOGLINE
2015-03-03 03:12:16,978 INFO [http-bio-16006-exec-71] [XYZ.ABC.JLM.app.task.ERT] [app:/saas reqid:23121221 jsid:* aid:* uid: org: vorg: un:] - Received to update queued for monitorId=54213213JBNJBSJBSJBS, worklow=8u298u2189u312, session=21684216814321
This should work:
filter {
grok {
match => [
"message",
"%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} \[(?<threadname>[^\]]+)\] \[(?<classname>[^\]]+)\] %{GREEDYDATA:message}"
]
overwrite => ["message"]
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.