grok filtering pattern issue

0
votes

I try to match the loglevel of a log file with a grok filter, but still getting a _grokparsefailure. The problem is maybe with the space between [ and the log level.

example of log: 2017-04-21 10:12:03,004 [ INFO] Message

my filter:

filter {
    grok {
        match => {
            "log.level" => "\[ %{LOGLEVEL:loglevel}\]"
        }
    }
}

I also tried some other solutions without success:

"\[ *%{LOGLEVEL:loglevel}\]"
"\[%{SPACE}%{LOGLEVEL:loglevel}\]"

Thanks in advance for your help

2
logstashlogstash-grok

2 Answers

0
votes

The issue is with the option match in your filter: this option is a hash that tells the filter which field to look at and which field to look at.

Your regex is fine (you can check with http://grokconstructor.appspot.com/do/match), the issue is with the field name; it should be message.

So in your case, your filter should look like this:

grok {
    match => {
        "message" => "\[ %{LOGLEVEL:loglevel}\]"
    }
}
0
votes

The point is the default field is message and you need to match all the string 

filter {
    grok {
        match => {
            "message" => "%{TIMESTAMP_ISO8601:logDate} \[ %{LOGLEVEL:loglevel}\]%{GREEDYDATA:messages}"
        }
    }
}

enter image description here