How to write the grok expression for my log?

0
votes

I am trying to write a grok to analysis my logs.

Use logstash 7 to collect logs. But I failed writing grok after many attempts.

Log looks like this:

[2018-09-17 18:53:43] - biz_util.py [Line:55] - [ERROR]-[thread:14836]-[process:9504] - an integer is required

My Grok(fake):

%{TIMESTAMP_ISO8601 :log_time} - %{USERNAME:module}[Line:%{NUMBER:line_no}] - [%{WORD:level}]-[thread:%{NUMBER:thread_no}]-[process:%{NUMBER:process_no}] - %{GREEDYDATA:log}

Only the timestamp part is OK. The others failed.

2
logstashlogstash-grok

2 Answers

1
votes

that will work:

\[%{TIMESTAMP_ISO8601:log_time}\] - %{DATA:module} \[Line:%{NUMBER:line_no}\] - \[%{WORD:level}\]-\[thread:%{NUMBER:thread_no}\]-\[process:%{NUMBER:process_no}\] - %{GREEDYDATA:log}

you need to escap [

0
votes

This will work,

[%{TIMESTAMP_ISO8601:log_time}] %{NOTSPACE} %{USERNAME:module} [Line:%{BASE10NUM:Line}] %{NOTSPACE} [%{LOGLEVEL}]%{NOTSPACE}[thread:%{BASE10NUM:thread}]%{NOTSPACE}[process:%{BASE10NUM:process}]