Hi,
is there any way to match a pattern inside a log and just write a port of it to a field? Here's a abstraction of my log:
elapsedTimeMs=41
I'd wrap it in () because it's sporadic and want the 41 to be written into a field called elapsed.time or so. Is there any way to do that?
Thanks in advance
Badger
August 2, 2022, 4:49pm
2
Yes, you do that using a grok filter. Hard to say more without seeing some actual log lines rather than an abstraction.
2022-08-03 08:13:54,376 INFO 1343434000 Server.Servlet <Gxyzdvlet> [TraceID: 5bdd1e20] Operation completed {url="https://url", servletClass="edge.servlet.jsonrpc.JsonRpcServlet", executionTime=1530637574515724, from="1vvvv", user="11341444441000", elapsedTimeMs=301, message="lll servlet has stopped processing the request", eventType="STOP", serverID="abc-def-3434"}, Operation completed {url="https://ttttt", servletClass="edge.servlet.jsonrpc.JsonRpcServlet", executionTime=1530637574515724, from="12.34.56.78", user="1vvv0", elapsedTimeMs=301, message="u servlet has stopped processing the request", eventType="STOP", serverID="lxyz-def-213"}
e.g. like that
Rios
(Rios)
August 3, 2022, 11:44am
4
grok {
match => { "message" => "elapsedTimeMs=%{POSINT:elapsedtime}"
}
}
If you want to fully parse, use dissect or grok + KV for the content inside { .. }
system
(system)
Closed
August 31, 2022, 11:44am
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.