Difficult log line

Kubeksz · July 19, 2017, 7:10am

I'm a new user of ELK stack. I've got a little problem with filtering out specific section from my log.

Sample log:

 [2017-05-30 13:58:09,336] INFO [com.qwerty.test.core.services.impl.order.OrderEntryService (OrderEntryService.java:5426) [http-/0.0.0.0:1111-111] {{CT,1496145487308}{IP,111.11.111.11}{JTX,1511059/176275501}{OBJT,goodsMovement.reportsUtils.ConsignmentStocksList}{OPT,SQ}{PID,111111}{SS,SSCPLTMPRODPL}{TRT,SAP_LOGISTIC_REPORT}{UID,StudentSaSo-8}}: Saving order: K1010101

and my grok:

grok {
		match => { "message" => "(?<log_timestamp>%{YEAR}-%{MONTHNUM2}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND},%{NONNEGINT})\] %{LOGLEVEL:loglevel} * \[(?<logger>[A-Za-z0-9$_.]+)\] \(%{JAVAFILE:class}:%{NONNEGINT:line}\) \[%{NOTSPACE:thread}\] %{GREEDYDATA:log_message}"}
	}

so i need filter out this section from my log:

{{CT,1496145487308}{IP,111.11.111.11}{JTX,1511059/176275501}{OBJT,goodsMovement.reportsUtils.ConsignmentStocksList}{OPT,SQ}{PID,111111}{SS,SSCPLTMPRODPL}{TRT,SAP_LOGISTIC_REPORT}{UID,StudentSaSo-8}}:

I try use patterns from https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns but it does not work for me and also i try crate own pattern and it only works for first section ( {{CT,1496145487308} ).

my regexp:

(?:[\{{][^\}]*,[^\}]*\})

so please help me guys, i'm totally blocked by this issue

paz · July 19, 2017, 12:14pm

There are several syntax errors with your grok pattern, which actually fails to compile:

E.g. Mixing what I presume are regex capture groups with grok expressions (also MONTHNUM2 is not a valid pattern)

For reference, you can use grokdebug for on-the-fly pattern testing.
This should work

grok {
		match => { "message" => "\[%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND},%{NONNEGINT}\] %{WORD:loglevel} \[%{NOTSPACE:logger} \(%{JAVAFILE:class}:%{NONNEGINT:line}\) \[%{NOTSPACE:thread}\] %{GREEDYDATA:log_message}"}
	}

Kubeksz · July 20, 2017, 6:37am

thank's for your reply but i write about different thing. I didn't saw that i don't mentioned about with which section i've got problem...

But thanks a lot for your help with another mistake that i've done

system · August 17, 2017, 6:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.