Formatting data as a block in logstash

selin · August 20, 2021, 3:47am

Below is my sample data. How can it be filter based on start time and end time using grok pattern. Any idea friends since the data came as a stream of blocks. Can you guys suggest and provid example. I need to know start time , end time, success or fail. if fail the messge

++++++++++++++++++++++++++++++++++++++++++++++
Name: My file name
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Begin Date:	MM/DD/YYYY
Begin Time:	HH:MM:SS

Activity
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
YYYY-MM-DD HH:MM:SS message
YYYY-MM-DD HH:MM:SS message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Result
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
messge Completed
End Date:	MM/DD/YYYY
End Time:	HH:MM:SS
Executed by: Name
++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++
Name: My file name
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Begin Date:	MM/DD/YYYY
Begin Time:	HH:MM:SS

Activity
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
YYYY-MM-DD HH:MM:SS message
YYYY-MM-DD HH:MM:SS message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Result
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
message Failed
ERROR:	message
ERROR:	message
  at stacktrace
  at stacktrace
Caused by: message
  at stacktrace
  at stacktrace
	
End Date:	MM/DD/YYYY
End Time:	HH:MM:SS
Executed by: Name
++++++++++++++++++++++++++++++++++++++++++++++

AquaX · August 24, 2021, 6:36pm

A couple of hints I can think of.
First you need to use a multiline input and capture everything between the "++++++" lines.
Like this:
++++++++++++++++++++++++++++++++++++++++++++++ Name: My file name ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Begin Date: 10/13/1987 Begin Time: HH:MM:SS Activity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ YYYY-MM-DD HH:MM:SS message YYYY-MM-DD HH:MM:SS message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Result ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ messge Completed End Date: MM/DD/YYYY End Time: HH:MM:SS Executed by: Name ++++++++++++++++++++++++++++++++++++++++++++++

Then use a grok pattern (going to be ugly) to cut out the pieces that you need.

I started playing around with it a little bit (assuming that all newline characters were removed and the entire thing could be handled as a single line event.

\+ Name: %{DATA:my_file_name} \~%{NOTSPACE} Begin Date: %{NUMBER:Month}

This will get you this:


  "my_file_name": [
    [
      "My file name"
    ]
  ],
  "NOTSPACE": [
    [
      "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    ]
  ],
  "Month": [
    [
      "10"
    ]
  ],
  "BASE10NUM": [
    [
      "10"
    ]
  ]
}

Check out https://grokdebug.herokuapp.com/ to help you figure out the rest.
Good luck.

Topic		Replies	Views
Grok parse failure splitting in to 3 blocks Logstash	4	387	August 11, 2020
Multiline grok conditional filter based on block of text in logfile Logstash	2	833	February 23, 2017
Logstash Grok break_on_filter not working Logstash	1	331	March 29, 2018
How to convert my time with the date filter for kibana Logstash	2	342	July 30, 2020
How to start Grok Pattern Logstash	4	487	April 30, 2019

Formatting data as a block in logstash

Related topics