Grok Custom filter

zolthar-z · October 8, 2018, 9:44pm

Hi

I'm new in ELK and I've installed the app for log management. I have a legacy application and want to make some tranformation to the logs, right now a I recevied the logs in the following format:

2018-10-08 13:06:28,710 DEBUG [Job] SID=[078] ServiceRunning: new service created

The idea is have the output with the next format

Datestamps: 2018-10-08 13:06:28,710
level: DEBUG
SID: 078
Message: ServiceRunning: new service created

I have tried with differents filters like "%{DATESTAMP} %{LOGLEVEL:level} %{WORD:SID}" but the output doesn't show as I expected, So I was wondering if maybe one of you know if is possible create that output with logstash filters

Thanks in advance for your help.

Regards.

Tek_Chand · October 9, 2018, 9:20am

@Luis, Please try the below pattern for your log:

(?<datestamp>[\w\-\s\:]+)\,(?<pid>[\w]+)\s(?<loglevel>[\w]+)\s\[\w+\]\s\w+\=\[(?<SID>[\w]+)\]\s(?<message>.*)

Thanks

zolthar-z · October 9, 2018, 3:07pm

Hi @Tek_Chand, thanks for the information, it works perfectly!!!, Do you know where I can find the meaning or how I can do all the filters that you apply ? Thanks again.

Tek_Chand · October 10, 2018, 3:18am

Hello Luis,

You should have some idea of regex to write the filter. Please refer the below link for some basic regex symbol:

https://en.wikipedia.org/wiki/Regular_expression

You can use grok debugger to write filter for your logs pattern. Please refer the below link:

https://grokdebug.herokuapp.com/

Thanks.

system · November 7, 2018, 3:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.