First time with grok

fabek.75 · March 28, 2022, 3:29pm

Hi there.
I'm trying to use grok for the first time to parse a line log like this:
Mar 15 10:45:13 myapp.com myapp: [Info] <99999999999999> /path/path1: [10.255.255.255:99999] POST /our_queue/worker/import? 204

In the Dev tools, with this syntax

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) 
%{LOGLEVEL:log-level} %{GREEDYDATA:message}

But is not working. The Debugger should recognize these predefined patterns, no?

stephenb · March 28, 2022, 3:54pm

You are missing the brackets around the Log Level note the are escaped

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) \[%{LOGLEVEL:log-level}\] %{GREEDYDATA:message}

fabek.75 · March 29, 2022, 7:43am

Thank you. I wrongly assumed the LOGLEVEL pattern included the square brackets.

system · April 26, 2022, 7:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern - sometimes nesting bracket Logstash	3	293	October 5, 2022
Grok Parsing Timestamp Error Logstash	1	294	February 20, 2018
Grok parser and nested brackets Logstash	6	263	April 10, 2023
I need to parse this log message format Logstash	11	2423	April 2, 2019
Square brackets in ingest node grok pattern Elasticsearch	3	2717	January 2, 2017

First time with grok

Related Topics