Grok filter for class name containing $

1
votes

I am facing issue while using the Grok filter. Below is my filter which is working as expected while the class name do not have $ in it. When thread name is like PropertiesReader$ it is failing. What else can I use so it can parse class name with special characters ?

filter {
      grok {  
           match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %{LOGLEVEL:loglevel} %{WORD:threadName}:%{NUMBER:ThreadID} - %{GREEDYDATA:Line}" ] 
      }
      json {
           source => "Line" 
      }
      mutate { 
            remove_field => [ "Line" ]  
      }  
}
3
logstashelastic-stacklogstash-grok

3 Answers

2
votes

You aren't limited to grok pattern names. You can do any regex. For example in place of %{WORD:threadName} you can put (?<threadName>[^:]+) which says to match any character that isn't a : and assign it to threadName.

1
votes

You are using WORD as a pattern for your threadname which does not contain special characters. To confirm this let's take a look at this pattern: WORD \b\w+\b

Use a custom pattern. Just descibe it in a file like this:

MYPATTERN ([A-z]+\$?)

Then you can use it in your config like this:

grok {
    patterns_dir => ["/path/to/pattern/dor"]
    match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %LOGLEVEL:loglevel} %{MYPATTERN:threadName}:%{NUMBER:ThreadID} - %GREEDYDATA:Line}" ] 
     }

You'll find more information about custom patterns in the docs

0
votes

You could also try with %{DATA:threadName} instead of %{WORD:threadName}, if your threadName won't contain whitespaces or colons.