How to parse logs using logstash
Question
I have such message to be parsed by grok filters:
"@timestamp":"2019-12-16T08:57:33.804Z","@version":"1","message":"[Optional[admin]] (0.0.0.0, 0.0.0.0|0.0.0.0) 9999 approve 2019-12-16T08:57:30.414732Z","logger_name":"com.company.asd.asd.web.rest.MyClass","thread_name":"XNIO-1 task-5","level":"INFO","level_value":20000,"app_name":"asd","instance_id":"asd-123","app_port":"8080","version":"0.0.1-SNAPSHOT"
I tried http://grokdebug.herokuapp.com/ to parse my logs and i wrote such regexp to do it:
"@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"[\\D*[%{WORD:login}]] (%{IPV4:forwardedFor}\\, %{IPV4:remoteAddr}\\|%{IPV4:remoteAddr}) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}
it seems working in this debugger, but when i try to add this line to my filter in .conf file everything it writes is _grokparsefailure and my message remains unchanged, my filter:
filter {
grok {
match => { "message" => ""@timestamp":"%{TIMESTAMP_ISO8601:logTime}","@version":"%{INT:version}","message":"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
1 answers
solution1
0 ACCPTED 2019-12-16 13:26:16
try the below grok,
filter {
grok {
match => { "message" => "\"@timestamp\":\"%{TIMESTAMP_ISO8601:logTime}\",\"@version\":\"%{INT:version}\",\"message\":\"\[\D*\[%{WORD:login}]\] \(%{IPV4:forwardedFor}\, %{IPV4:remoteAddr}\|%{IPV4:remoteAddr}\) %{WORD:identificator} %{WORD:methodName} %{TIMESTAMP_ISO8601:actionaDate}%{GREEDYDATA:all}" }
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.