Grok filter 2 different logs

bishaka · June 3, 2016, 6:05pm

Hi,
I am trying to use the following grok filter to extract fields from log file, The log file contains 2 different style of logs, hence I wrote 2 different queries to tackle the 2 logs. However, it's failing on one of the logs..the one inside the if statement..i get "grokparsefailure error" Please help me.

filter {
grok {
match => [ "message", "%{NOTSPACE}%{TIME}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE} %{WORD}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{WORD}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{NOTSPACE:requestDetails}" ]

}
if[requestType] == "PROCESSING" {
	grok {
	match => [ "message", "%{NOTSPACE}%{TIME}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{NOTSPACE}%{WORD}%{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE}%{SPACE}%{GREEDYDATA:requestDetails}" ]
	}		
}
mutate {
    remove => [ "message" ]
}

}

The log file contents below
2016-05-20 07:13:13 | INFO | [jmsContainer-10] | AQ-REQ | PROCESSING | FAILED FOR urn:gsma:imei:35774606-004713-0 I/O error on POST request for "https://spp.msg.t-mobile.com:8083/pushnotification/v1.0/message":Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
2016-05-20 13:13:50 | INFO | [[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] | WAKEUP-REQ | RECEIVED | urn:gsma:imei:35774606-004713-0

bishaka · June 3, 2016, 9:34pm

Can anybody please help me?

2016-05-20 04:06:12 | INFO | [[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] | WAKEUP-REQ | SUCCESS | urn:gsma:imei:35774606-004713-0 - 200 - - {"statusCode":"success","statusMessage":"Wakeup request recieved"}

what I have is this:

filter {
grok {
match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]

}
if[threadType] == "[[ACTIVE]" {
	grok {
	match => [ "message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}" ]
	}		
}
mutate {
    remove => [ "message" ]
}

}

I get the following when I run logstash..the fields are giving me similar output...

bishaka · June 6, 2016, 6:20pm

help. still stuck

magnusbaeck · June 8, 2016, 6:23pm

Those grok expressions are unreadable. Why don't you use the csv filter instead?

bishaka · June 8, 2016, 6:37pm

How do you use csv filter?

magnusbaeck · June 9, 2016, 8:00pm

Have you looked at the documentation or googled for examples?

Topic		Replies	Views
Multiple grok filter Logstash	16	23658	October 3, 2017
Multiple patterns in grok filter Logstash	4	3380	November 16, 2018
Multiple pattern matching log file Logstash	3	1060	July 6, 2017
Error in multiple match in logstash filter Logstash	3	755	March 14, 2018
Can you apply another grok filter in case of _grokparsefailure? Logstash	2	391	September 20, 2019

Grok filter 2 different logs

Related topics