Grok filter 2 different logs

bishaka · June 3, 2016, 6:05pm

Hi,
I am trying to use the following grok filter to extract fields from log file, The log file contains 2 different style of logs, hence I wrote 2 different queries to tackle the 2 logs. However, it's failing on one of the logs..the one inside the if statement..i get "grokparsefailure error" Please help me.

filter {
grok {
match => [ "message", "%{NOTSPACE}%{TIME}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE} %{WORD}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{WORD}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{NOTSPACE:requestDetails}" ]

}
if[requestType] == "PROCESSING" {
	grok {
	match => [ "message", "%{NOTSPACE}%{TIME}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{WORD}%{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE}%{SPACE}%{GREEDYDATA:requestDetails}" ]
	}		
}
mutate {
    remove => [ "message" ]
}

}

The log file contents below
2016-05-20 07:13:13 | INFO | [jmsContainer-10] | AQ-REQ | PROCESSING | FAILED FOR urn:gsma:imei:35774606-004713-0 I/O error on POST request for "https://spp.msg.t-mobile.com:8083/pushnotification/v1.0/message":Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
2016-05-20 13:13:50 | INFO | [[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] | WAKEUP-REQ | RECEIVED | urn:gsma:imei:35774606-004713-0

bishaka · June 3, 2016, 9:34pm

Can anybody please help me?

2016-05-20 04:06:12 | INFO | [[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] | WAKEUP-REQ | SUCCESS | urn:gsma:imei:35774606-004713-0 - 200 - - {"statusCode":"success","statusMessage":"Wakeup request recieved"}

what I have is this:

filter {
grok {
match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]

}
if[threadType] == "[[ACTIVE]" {
	grok {
	match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]
	}		
}
mutate {
    remove => [ "message" ]
}

}

I get the following when I run logstash..the fields are giving me similar output...

bishaka · June 6, 2016, 6:20pm

help. still stuck

magnusbaeck · June 8, 2016, 6:23pm

Those grok expressions are unreadable. Why don't you use the csv filter instead?

bishaka · June 8, 2016, 6:37pm

How do you use csv filter?

magnusbaeck · June 9, 2016, 8:00pm

Have you looked at the documentation or googled for examples?

Topic		Replies	Views
Multiple grok filter Logstash	16	23629	October 3, 2017
Grok filter for different kinds of log in a single file Logstash	4	327	June 17, 2020
Grok parse failures Logstash	4	286	December 29, 2020
Grok performance Logstash	5	1307	January 18, 2018
Conditionals in Grok filter for more than one log type Logstash	12	1181	October 25, 2017

Grok filter 2 different logs

Related Topics