grok pattern match not working

0
votes

I have this pattern and I want the grok filter for this:

24 May 2016 23:04:03,003 [] [] [] INFO  [listenerContainer-35] com.newworld.mmp.orderlist.NewDataUtil -  | 1464048002998 | 201605233157123319 | Account | 67578625
09896 | DHW | 2016-05-23T23:59:56.621Z | 2016-05-24T00:00:02.676Z | STARTED PROCESSING

I wrote the pattern but it is incomplete:

%{MONTHDAY} %{MONTH} 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{DATA:junk} %{DATA:junk} %{DATA:junk} %{LOGLEVEL:level} %{DATA:junk1} %{JAVACLASS:class}

The %{POSINT:mynewint} or %{NUMBER:mynewint} for the 1464048002998 is not working.

Like %{MONTHDAY} %{MONTH} 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{DATA:junk} %{DATA:junk} %{DATA:junk} %{LOGLEVEL:level} %{DATA:junk1} %{JAVACLASS:class}- | %{POSINT:mynewint}

I need help on this and the complete grok expression?

1
logstash-grokgrok
What are the fields you are expecting in the output? Can you please explain about your expected output? - Mrunal Pagnis

1 Answers

0
votes

Your Log line:

24 May 2016 23:04:03,003 [] [] [] INFO  [listenerContainer-35] com.newworld.mmp.orderlist.NewDataUtil -  | 1464048002998 | 201605233157123319 | Account | 6757862509896 | DHW | 2016-05-23T23:59:56.621Z | 2016-05-24T00:00:02.676Z | STARTED PROCESSING

SAMPLE GROK PATTERN that matches your log record: 
%{MONTHDAY:MonthDay} %{MONTH:Month} %{YEAR:Year} %{TIME:Time} \[] \[] \[] %{LOGLEVEL:LogLevel}  %{NOTSPACE:ListenerContainer} %{JAVACLASS:JavaClass} -  \| %{NUMBER:Number1} \| %{NUMBER:Number2} \| %{WORD:Account} \| %{NUMBER:Number3} \| %{WORD:DHW} \| %{TIMESTAMP_ISO8601:Timestamp1} \| %{TIMESTAMP_ISO8601:Timestamp2} \| %{JAVALOGMESSAGE:LogMessage}

This will give output fields as follows:

  • MonthDay = 24
  • Month = May
  • Year = 2016
  • Time = 23:04:03,003
  • LogLevel = INFO
  • ListenerContainer = [listenerContainer-35]
  • JavaClass = com.newworld.mmp.orderlist.NewDataUtil
  • Number1 = 1464048002998
  • Number2 = 201605233157123319
  • Account
  • Number3 = 6757862509896
  • DHW
  • Timestamp1 = 2016-05-23T23:59:56.621Z
  • Timestamp2 = 2016-05-24T00:00:02.676Z
  • LogMessage = STARTED PROCESSING

You can try your own grok filters, create parse and test on the following site: http://grokconstructor.appspot.com/do/construction