logstash grok filter annoyance
Question
Thu Sep 27 15:30:27 BST 2012:- Invalid token $_POST[custom], which indicates the amount, userid
This is from a log file I'm trying to parse using grok for logstash.
The first few fields are ok, and it seemed very close to DATESTAMP_OTHER, but I think that the UK timezone of BST is messing that up.
Got as far as this, but not sure how to make it work!
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %([PMCEB][SD]T) %{YEAR} %{GREEDYDATA:message}
2 answers
solution1
11 ACCPTED 2013-05-19 08:50:44
1) Try out the Grok Debugger which will allow you to test your Grok patterns, on the spot.
2) Also, change your %([PMCEB][SD]T) for something like (?<variable_name>(BST)*) to start off with. You are using the wrong syntax for plain regex.
3) Most important Read the docs . Everything I have just mentioned came directly from the docs.
solution2
0 2013-02-17 18:14:46
Here is my approach to the problem:
TZEXPANDED (?:[PMCEB][SD]T) MYCUSTOM %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZEXPANDED} %{YEAR}
Or if you prefer:
MYCUSTOM %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{(?:[PMCEB][SD]T)} %{YEAR}
In my opinion, the first option is better, because you can use the pattern later on for something else
Greetings
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.