grok pattern for jmeter

1
votes

i am trying to parse the below log

2015-07-07T17:51:30.091+0530,857,SelectAppointment,Non HTTP response code: java.net.URISyntaxException,FALSE,8917,20,20,0,1,1,byuiepsperflg01

Now I am unable to parse Non HTTP response code: java.net.URISyntaxException in one field. Please help be build the pattern

This is the pattern I'm using

%{TIMESTAMP_ISO8601:log_timestamp}\,%{INT:elapsed}\,%{WORD:label}\,%{INT:respons‌ecode}\,%{WORD:responsemessage}\,%{WORD:success}\,%{SPACE:faliusemessage}\,%{INT:‌​bytes}\,%{INT:grpThreads}\,%{INT:allThreads}\,%{INT:Latency}\,%{INT:SampleCount}\‌​,%{INT:ErrorCount}\,%{WORD:Hostname}

1
logstashgroklogstash-grok
If you post the pattern you're using, we could critique it. On first glance, separating by commas (perhaps with the csv{} filter) might be a good pattern. - Alain Collins
%{TIMESTAMP_ISO8601:log_timestamp}\,%{INT:elapsed}\,%{WORD:label}\,%{INT:responsecode}\,%{WORD:responsemessage}\,%{WORD:success}\,%{SPACE:faliusemessage}\,%{INT:bytes}\,%{INT:grpThreads}\,%{INT:allThreads}\,%{INT:Latency}\,%{INT:SampleCount}\,%{INT:ErrorCount}\,%{WORD:Hostname} - user3045254
The exception need to go in response code field - user3045254

1 Answers

0
votes

If you paste your input and pattern into the grok debugger, it says "Compile ERROR". It might be an SO problem, but you had some weird characters in your pattern ("<200c><200b>").

The trick to building custom patterns is to start at the left side and pull one piece off at a time. With that, you would notice that this partial pattern works:

%{TIMESTAMP_ISO8601:log_timestamp},%{INT:elapsed},%{WORD:label}

but this one returns "No Matches":

%{TIMESTAMP_ISO8601:log_timestamp},%{INT:elapsed},%{WORD:label},%{INT:respons‌​ecode}

because you don't have an integer in that position.

Continue adding fields one at a time until everything you want is matched.

Note that you don't have to escape the commas.