Basic Grok pattern

Didier · August 25, 2015, 7:54pm

Hello,

We are trying to understand how to generate basic Grok patterns. As an example, I would have a few simple lines from a Tomcat Catalina file:

Aug 25, 2015 12:00:02 AM org.apache.catalina.startup.HostConfig checkResources
FINE: Checking context[/CrystalReports] reload resource /home/genesys/gcti/BOEXI/bobje/tomcat/conf/Catalina/localhost/CrystalReports.xml

Can anyone help with the syntax to generate the proper grok pattern?

I currently have a line like this but am not sure if I'm on the right path

filter {
grok {
match => "["message", %{MONTH:month} %{MONTHDAY:day} [,\s]%{YEAR:year} %{TIME:time} %{Format:[AP][M]}"
}
}

Much appreciated

magnusbaeck · August 25, 2015, 8:08pm

There are a few problems here.

Your quotes are a bit mixed up. Follow this pattern: match => ["message", "..."]
You'll want to match the whole timestamp in a single field. You could extract each timestamp component in a separate field but then you'd have to join them later on since the date filter only parses one field at a time.
The part after %{MONTHDAY:day} is incorrect. It'll match the day of the month followed by a space followed by either a comma or a whitespace character, immediately followed by a year. That's not what your logs look like.

If this is the default Tomcat format I'd be surprised if there wasn't already expressions flying around so that you don't have to reinvent the wheel.

sumithub · September 1, 2015, 2:20am

I find grok debugger helpful to generate and debug grok patterns http://grokdebug.herokuapp.com/