Best approach to parse this line into tokens

I am trying to figure out the best approach to parse this line. I want a couple of pieces of information parsed into tokens, and other stripped away. This was captured from the Logstash log when it was sent by Filebeat.

ERROR: 12/19/18 02:20:13 PID=3111 (ScreenPopServer 1000 1)\nmain:Exception: org.I0Itec.zkclient.exception.ZkTimeoutException: Unable to connect to zookeeper server within timeout: 50000\n------------------------------------------------------------------------------

I want the
--word ERROR as log_level
--number 3111 as pid
--word ScreenPopServer as process_name
--number 1000 as controller_number
--number 1 as instance_number

I want to strip the dashes off completely.

This is what I have so far:

%{WORD:log_level}: %{DATE_US}.* %{TIME}.* %{WORD}.*=%{NUMBER:pid} \(%{WORD:process_name} %{NUMBER:controller_number} %{NUMBER:instance_number}\)\\n

This issue I am having is getting the message part up to the dashes. This occurs after the first \n char, but I cant seem to get a match. If I add a word, the match fails, but I dont know why.

%{WORD:log_level}: %{DATE_US}.* %{TIME}.* %{WORD}.*=%{NUMBER:pid} \(%{WORD:process_name} %{NUMBER:controller_number} %{NUMBER:instance_number}\)\\n%{WORD}.*

I am using this to my matches -

Ok to remove the slashes I used mutate and gsub. That is the first step in my filter.

mutate {
    gsub => [
        # Replace the line of dashes
        "message", "-+$", ""

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.