Basic Grok pattern

Didier · August 25, 2015, 7:54pm

Hello,

We are trying to understand how to generate basic Grok patterns. As an example, I would have a few simple lines from a Tomcat Catalina file:

Aug 25, 2015 12:00:02 AM org.apache.catalina.startup.HostConfig checkResources
FINE: Checking context[/CrystalReports] reload resource /home/genesys/gcti/BOEXI/bobje/tomcat/conf/Catalina/localhost/CrystalReports.xml

Can anyone help with the syntax to generate the proper grok pattern?

I currently have a line like this but am not sure if I'm on the right path

filter {
grok {
match => "["message", %{MONTH:month} %{MONTHDAY:day} [,\s]%{YEAR:year} %{TIME:time} %{Format:[AP][M]}"
}
}

Much appreciated

magnusbaeck · August 25, 2015, 8:08pm

There are a few problems here.

Your quotes are a bit mixed up. Follow this pattern: match => ["message", "..."]
You'll want to match the whole timestamp in a single field. You could extract each timestamp component in a separate field but then you'd have to join them later on since the date filter only parses one field at a time.
The part after %{MONTHDAY:day} is incorrect. It'll match the day of the month followed by a space followed by either a comma or a whitespace character, immediately followed by a year. That's not what your logs look like.

If this is the default Tomcat format I'd be surprised if there wasn't already expressions flying around so that you don't have to reinvent the wheel.

sumithub · September 1, 2015, 2:20am

I find grok debugger helpful to generate and debug grok patterns http://grokdebug.herokuapp.com/

Topic		Replies	Views
Help with tomcat grok pattern Logstash	4	1389	November 16, 2017
How to grok catalina log file Logstash	1	307	April 27, 2023
Grok pattern Help Logstash	4	3796	July 6, 2017
Can someone give pattern for Tomcat logs Logstash	17	12790	July 6, 2017
Grok filter in LOGSTASH Logstash	10	829	March 31, 2018

Basic Grok pattern

Related topics