Cant parse correctly

Alexandros888 · November 27, 2019, 11:42am

Hello,

I want to parse the following message:

<155>##preprod_AISAMSWEB##: 2019-11-25 16:08:34,876 [ERROR] QT_WebEvents - System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.

I parse it with the following Grok Pattern:

<%{NUMBER:u_n_1}>%{GREEDYDATA:messageTEST}##%{WORD:hostname}##: %{TIMESTAMP_ISO8601:timestamp} %{DATA:loglevel} %{WORD:logger} %{GREEDYDATA:message}

The results are the following:

{
"hostname": "preprod_AISAMSWEB",
"loglevel": "[ERROR]",
"logger": "QT_WebEvents",
"u_n_1": "155",
"message": "- System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.",
"messageTEST": "",
"timestamp": "2019-11-25 16:08:34,876"
}

Nevertheless, i want to have the loglevel variable without the symbols.
I want the loglevel variable to contain the price ERROR instead of [ERROR].

Can someone help?

Thank you

Badger · November 27, 2019, 4:39pm

Use

\[%{DATA:loglevel}\]

Alexandros888 · November 28, 2019, 7:14am

thank you a lot it works smoothly now :). Where can i find more use cases like this..i mean do you know a link or a book that provides all kind of examples?

system · December 26, 2019, 7:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.