Different lines structure for same log

Hi

I have a following lines in my log:

--

• 2017-01-16 00:00:01,779 [Thread-31:SpaceChangePollerTask(SpaceChangePollerTask-1121721-Space:MAIN)] INFO (support.context.FrameworkSession) Using overridden system date: 2016-10-25

USER01 - 666353-11336-1 2017-01-16 15:37:58,545 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO (support.context.FrameworkSession) Using overridden system date: 2016-10-25

USER01 - 666353-11336-1 2017-01-16 15:37:58,651 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR (domain.integration.RealtimeOutboundMessage) Problems invoking sender : XXXXXXXXXXXXXXXXXX
java.net.UnknownHostException: XXXXXXXXXXXXXXXXXXXx
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

So I'm trying to get them with following pattern:
"%{DATA:user} - %{UUID:uuid} %{TIMESTAMP_ISO8601:timestamp} [%{DATA:information}] %{LOGLEVEL:loglevel} (%{JAVACLASS:java}) %{GREEDYDATA:line}"

but I'm not able to handle all lines properly. The problemes I've identified are the follows:

1. the number of spaces ' ' after LOGLEVEL is different : 2 for INFO and 1 for ERROR, so the pattern doesn't works for both cases . I've trient to add ( )? before [{JAVACLASS , but it doesn't help
2. I would like to handle multiple lines for the errors (not only) , so I've found multiline codes, but I need to define the pattern which will allow to recognize multiline, but in my case the lines are different , user and uuid are optional , so sometimes they are present and sometimes not. I have no idea how to address this problem.

I will appreciate any hint , Thanks
Przemek

General comments on your grok expression:

• Don't use DATA in multiple places like that. Prefer more exact patterns, like NOTSPACE if the text you want to match can't contain spaces.
• I don't see why the UUID pattern would work since "666353-11336-1" isn't a UUID.

the number of spaces ' ' after LOGLEVEL is different : 2 for INFO and 1 for ERROR, so the pattern doesn't works for both cases

Use \s+ to match one or more whitespace characters.

Hi Magnus
Thank yo ufor your help.
\s+ and (?:%{PATTERN:field} ) solved most of the issues with parsing moste of the lines .

Nevertheless I have all the time the tag _grokparsefailure

What is strange that I have it also when I'm simplifying to maximum my grok :

filter {
if [type]=="ccblog" {
grok {
match=> ["message","%{GREEDYDATA:line}"]
}
}
}

the results is the following :
"_source": {
"message": " - 2017-01-19 11:19:58,957 [Thread-25:SpaceChangePollerTask(SpaceChangePollerTask-1414964-Space:MAIN)] INFO (support.context.FrameworkSession) Using overridden system date: 2016-10-25",
"@version": "1",
"@timestamp": "2017-01-19T10:19:59.457Z",
"type": "ccblog",
"input_type": "log",
"beat": {
"name": "vmA18DA9B",
"hostname": "vmA18DA9B",
"version": "5.1.1"
},
"source": "C:\ouaf\CCB2501\logs\system\spl_service.log",
"offset": 13720622,
"host": "vmA18DA9B",
"tags": [
"beats_input_codec_plain_applied",
"_grokparsefailure"
],
"line": " - 2017-01-19 11:19:58,957 [Thread-25:SpaceChangePollerTask(SpaceChangePollerTask-1414964-Space:MAIN)] INFO (support.context.FrameworkSession) Using overridden system date: 2016-10-25",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice"
},

How to avoid _grokparsefailure ?

Regards
Przemek

Perhaps there's another grok filter in your configuration. Do you have any extra files in /etc/logstash/conf.d? Logstash reads all files there.

That's it.
I had a backup file *.bak and I was not aware that Logstash will take it into account .
Now it works like a charm!

Thanks a lot!
Przemek

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.