First time with grok

fabek.75 · March 28, 2022, 3:29pm

Hi there.
I'm trying to use grok for the first time to parse a line log like this:
Mar 15 10:45:13 myapp.com myapp: [Info] <99999999999999> /path/path1: [10.255.255.255:99999] POST /our_queue/worker/import? 204

In the Dev tools, with this syntax

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) 
%{LOGLEVEL:log-level} %{GREEDYDATA:message}

But is not working. The Debugger should recognize these predefined patterns, no?

stephenb · March 28, 2022, 3:54pm

You are missing the brackets around the Log Level note the are escaped

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) \[%{LOGLEVEL:log-level}\] %{GREEDYDATA:message}

fabek.75 · March 29, 2022, 7:43am

Thank you. I wrongly assumed the LOGLEVEL pattern included the square brackets.

system · April 26, 2022, 7:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern - sometimes nesting bracket Logstash	3	293	October 5, 2022
Grok Parsing Timestamp Error Logstash	1	294	February 20, 2018
Unexpected _grokparsefailure while parsing square brackets with custom pattern Logstash	1	693	July 6, 2017
Grok parser and nested brackets Logstash	6	263	April 10, 2023
Log between {} Logstash	6	347	May 7, 2018

First time with grok

Related topics