Writing grok filter for my use case

0
votes

I have the following log file,

[2017-07-07 11:41:30.794][DEBUG][Hello]

for the above log, i have written the grok filter as shown below, match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][%{WORD:machineName}]"}

But i have another scenario where my last part of the log is little changed as below,

[2017-07-07 11:41:30.794][DEBUG][C:0:O:1]

For this i am not able to write the proper grok filter. I tried the below,

match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][%{HOSTNAME:machineName}]"}

HOSTNAME is not working. Can you please suggest which keyword to use.

2
logstash-grok
Both of your grokstrings simply won't work because you do not escape your brackets. If you wan't to match your machineName just use a GREEDYDATAFairy
There are some other patterns after machine name.. I just mentioned some part of it.. What is the exact keyword for C:0:O:1vinod hy
@Fairy I am skipping the brackets.. But when i paste here, i dont know its not showing. Its strange. But my logstash filter syntax is correct.. Not to worry about thatvinod hy

2 Answers

0
votes

Vinod , you might want to try skipping the [, ] brackets with \ like 

\[%{TIMESTAMP_ISO8601:TimeStamp}\]\[%{LOGLEVEL:logLevel}\]\[%{HOSTNAME:machineName}\]

It should work

Nikhil

0
votes

Also , if you getting something like [C:0:O:1] , then you can identify with 

\[%{GREEDYDATA:machineName}\]

But if you can provide more log line samples, that would help to suggest the correct pattern

Nikhil