I am trying to figure out the best approach to parse this line. I want a couple of pieces of information parsed into tokens, and other stripped away. This was captured from the Logstash log when it was sent by Filebeat.
ERROR: 12/19/18 02:20:13 PID=3111 (ScreenPopServer 1000 1)\nmain:Exception: org.I0Itec.zkclient.exception.ZkTimeoutException: Unable to connect to zookeeper server within timeout: 50000\n------------------------------------------------------------------------------
I want the
--word ERROR as log_level
--number 3111 as pid
--word ScreenPopServer as process_name
--number 1000 as controller_number
--number 1 as instance_number
I want to strip the dashes off completely.
This is what I have so far:
%{WORD:log_level}: %{DATE_US}.* %{TIME}.* %{WORD}.*=%{NUMBER:pid} \(%{WORD:process_name} %{NUMBER:controller_number} %{NUMBER:instance_number}\)\\n
This issue I am having is getting the message part up to the dashes. This occurs after the first \n char, but I cant seem to get a match. If I add a word, the match fails, but I dont know why.
%{WORD:log_level}: %{DATE_US}.* %{TIME}.* %{WORD}.*=%{NUMBER:pid} \(%{WORD:process_name} %{NUMBER:controller_number} %{NUMBER:instance_number}\)\\n%{WORD}.*
I am using this to my matches - https://grokdebug.herokuapp.com/