First time with grok

fabek.75 · March 28, 2022, 3:29pm

Hi there.
I'm trying to use grok for the first time to parse a line log like this:
Mar 15 10:45:13 myapp.com myapp: [Info] <99999999999999> /path/path1: [10.255.255.255:99999] POST /our_queue/worker/import? 204

In the Dev tools, with this syntax

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) 
%{LOGLEVEL:log-level} %{GREEDYDATA:message}

But is not working. The Debugger should recognize these predefined patterns, no?

stephenb · March 28, 2022, 3:54pm

You are missing the brackets around the Log Level note the are escaped

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(:) \[%{LOGLEVEL:log-level}\] %{GREEDYDATA:message}

fabek.75 · March 29, 2022, 7:43am

Thank you. I wrongly assumed the LOGLEVEL pattern included the square brackets.

Topic		Replies	Views
Help required for grok filter creation [windows platform] Logstash	2	275	July 20, 2018
Logstash GROK Logstash	2	74	January 7, 2026
Grok parsing using custom pattern Logstash	3	1045	August 9, 2017
Cant parse correctly Logstash	3	292	December 26, 2019
ES\|QL Grok parsing Elasticsearch esql	1	67	November 28, 2024

First time with grok

Related topics