Grok filter on massive log

Hello,

Newbie at Grok and I want to ask the below

I have a big log from weblogic such as:

2019-06-24 11:56:25,782 [[ACTIVE] ExecuteThread: '333' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR motive.utilities.javascript.JavaScriptLogger - PARPINJO {deviceManageable=false, accountId2=, datatype=isam, primaryNumber=111111111, subscriptionType=, serialNumber=, accountstatus=Location: 000, ID: 2222, firstPhase=yes, ngnType=NOKIA, csrLogin=user, beaEquipmentSerialNum=null, ElementName=York, Slot=19, LT=16, Port=27

I am trying to test it through grokdebug.herokuapp.com

What I want is to filter 2 or more fields.

When I try one of them is working

csrLogin=(?[a-x]{,10})

{
"csrLogin": [
[
"test"
]
]
}

How can I add next to it another one? I don't want to be the next field (e.g. csrLogin=user, beaEquipmentSerialNum=null)

Just say that I want the field -> Port=27

such as

csrLogin=(?[a-x]{,10}) & Port=(?[a-x]{,10})

Is it possible?

Thank you all

If you just want to extract all the fields from the log, then you can simply use kv filter. That will convert keys available in log as fields in output.

If you want to hold the other info that's available in the log, then the combination of Grok & kv filter also will work

i do not want to extract all the fields. just some of them. any ideas?

Use a kv filter.

kv { include_keys => [ "beaEquipmentSerialNum", "csrLogin" ] }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.