Hi I am kind of new to ELK and also GROK pattern, below is the log file line for which I want to create a GROK pattern. The fields that I need are before the ‘=’ as parsed by Splunk.
01 Aug 2017 17:58:19,048 INFO ProfileAspect[{applicationSystemCode=appname, clientIP=10.x.x.x, clusterId=Cluster-Id-NA, containerId=Container-Id-NA, correlationId=536bacc1-1b50-3866-5c8c-8d0efa037f8f, domainName=defaultDomain, hostName=ip-x-x-x.domain.com, messageId=10.x.x.23-e2250a0e-b706-4e95-8e11-5b9bf310eabd, userId=ANONYMOUS, webAnalyticsCorrelationId=66D276FF1489DFF845056FD915664268|F90B27374FD5E26D2566CEE3AFDA3AB0}]: class com.provider.base.v1.HomeBaseApiConsumer.searchTasks execution time: 15 ms
I also want to capture the execution time which is displayed in the last i.e 15 ms in this example.
I came up with this GROK pattern which is obviously not working.
%{MONTHDAY} %{MONTH} %{YEAR} %{TIME},%{NUMBER:duration} %{WORD:loglevel} %{WORD:Activity} [{%{(“applicationSystemCode”= \w)}
As per the document for Custom patterns, mentioned is (?the pattern here)
My updated GROK pattern is
%{MONTHDAY} %{MONTH} %{YEAR} %{TIME},%{NUMBER:duration} %{WORD:loglevel} %{WORD:Activity} \[\{(?<applicationSystemCode>\W\w+\W\w+)
I tested the regex in regex101.com1 and it works but in grok Debugger it doesnt work.
Any body can help?
