GROK filter for specific keyword and values

Akshara · June 26, 2020, 8:02am

LOG MSG : "2020-05-13 09:30:15.405 [localhost] [Services] [Request Id : 06118032-ba2f-406e-b6b3-89f0511924ba] [User Id : HUNTER@UK.B-AND-Q.COM] INFO com.logging.aspect.AspectController:120 - [1242,124202,] Exit LookupLastTransaction: Output ["Transaction_id =RT1242124202130519002650 TransactionDateTime =com.store.DateTimeCommonData@5f4c1899 TotalQuantity =6 TenderTotal = GrandTotal = TotalAmount =�29.94 ReturnAmount =�0.00"] "

Above line is my log message.As I am new to GROK filter I am finding it very difficult to parse the Total Amount as separate filed and send that to kibana. Can some one pls help how to filter the value as separate filed?

Jasonespo · June 26, 2020, 8:21am

Hi Akshara - do you have your grok for the rest of the log message? Or do you only want to take the "TotalAmount" value out?

Akshara · June 26, 2020, 8:52am

Hi Jason

This is my GROK filter
%{GREEDYDATA}(?< TotalAmount >(?<= TotalAmount =�)[^&]+)(?< ReturnAmount >(?<= ReturnAmount =�)[^&])

When I use this the output is coming like this
{
"TotalSalesAmount": "29.94 TotalReturnAmount =�",
"TotalReturnAmount": "0"
}
All I want is some thing like this
{
"TotalSalesAmount": "29.94 ",
"TotalReturnAmount": "0.00"
}

Jasonespo · June 26, 2020, 8:59am

Try this (not using any regex patterns) so make sure it will work with all your possible options

%{GREEDYDATA}TotalAmount%{SPACE}=%{DATA}%{NUMBER:TotalSalesAmount}%{SPACE}ReturnAmount%{SPACE}=%{DATA}%{NUMBER:TotalReturnAmount}

Akshara · June 26, 2020, 9:06am

Hi Jason,
Thx for the response.But it is not working

Jasonespo · June 26, 2020, 9:09am

What's the error you get? See below screenshot:

Akshara · June 26, 2020, 9:23am

Hi Jason,Thankyou verymuch for helping me. It is working in grokdebug.BUt when I try this in Kibana debugger it is not working. I am not sure what is the issue

Akshara · June 26, 2020, 9:26am

Akshara · June 26, 2020, 9:57am

Thanks a Ton Jason.It worked. It was my my Bad I did a mistake in debugger.
You saved my life...

I have few questions
1.If I need to add one more filter like this means
%{GREEDYDATA}Cash tenderAmount%{SPACE}=%{DATA}%{NUMBER:CashTenderAmount}

for log which will be printed in another line means ,how can I add multiple GROK filters in logsatsh.conf file?

2.If my log file has several other information which is printed in different lines means ,then if I use this GROK filters will fail or what?

Thanks

Jasonespo · June 26, 2020, 11:11am

I think I understood. You have one logstash.conf file and you want 2 different grok patterns to match two different potential log messages? You'd use this:

grok {
match => [
  "message", "GROKPattern1",
  "message", "GROKPattern2"
 
        ]
}

system · July 24, 2020, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.