I wanted to parse application logs which has information like timestamp , host name , message , log level etc. When I am using Grok pattern , I dont see the correct value is being assigned to the respscive variable.
For to make it more simple , I only tried to parse one string called Hostname like below
if[topics] == "ApplicationError" {
grok {
match => ["message", "%{WORD:hostserver}"]
And getting result in Message field not in hostserver variable. I checked with IPORHOST pattern also ..same result.
I checked in Grok debugger ..there also its saying no match. . Not sure what is the wrong in my pattern...
match => ["message", "%{WORD:hostserver} %{WORD:severity} %{WORD:errormessage} %{WORD:appdomain} %{WORD:hostprocess} %{WORD:source}" ]
}
i also tried with Type field like
if[type] == "applicationerror" {
grok {
match => ["message", "%{WORD:hostserver} %{WORD:severity} %{WORD:errormessage} %{WORD:appdomain} %{WORD:hostprocess} %{WORD:source}" ]
}
I am doing some basic mistake i guess and even if I am trying with single word in input logs , its not working either in my config or not matching in Grok debugger.
Hi , Now I am able to parse the message but still need help on different pattern I should use for Space , Path etc. Can you please help. Below are the details of Input output and configuration.
Input Logs
“SEGOTW10271196 Error This is a test message VTOMException This is a unit test Exception IN at Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests.LogError() in C:\CAQv2\Source\VTOM\Tests\UnitTests\NVSComponents\Utilities\UtilityComponentTests\Logging\VTOMLoggerTests.cs:line 48 UnitTestAdapter: Running test C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO\2017\ENTERPRISE\COMMON7\IDE\COMMONEXTENSIONS\MICROSOFT\TESTWINDOW\vstest.executionengine.x86.exe Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests:Void LogError()”
Expected Output after GROK Parsing
Host Name - SEGOTW10271196
Severity – Error
Message - This is a test message VTOMException This is a unit test Exception IN at Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests.LogError() in C:\CAQv2\Source\VTOM\Tests\UnitTests\NVSComponents\Utilities\UtilityComponentTests\Logging\VTOMLoggerTests.cs:line 48
appdomain - UnitTestAdapter: Running test
processname - C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO\2017\ENTERPRISE\COMMON7\IDE\COMMONEXTENSIONS\MICROSOFT\TESTWINDOW\vstest.executionengine.x86.exe
Title - Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests:Void LogError()
Actual Output
{
"severity" => "Error",
"errormessage" => "This",
"@timestamp" => 2018-01-02T09:52:52.732Z,
"hostserver" => "SEGOTW10271196",
"processname" => "a",
"@version" => "1",
"appdomain" => "is",
"message" => "SEGOTW10271196 Error This is a test message VTOMException This is a unit test Exception IN at Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests.LogError() in C:\CAQv2\Source\VTOM\Tests\UnitTests\NVSComponents\Utilities\UtilityComponentTests\Logging\VTOMLoggerTests.cs:line 48 UnitTestAdapter: Running test C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO\2017\ENTERPRISE\COMMON7\IDE\COMMONEXTENSIONS\MICROSOFT\TESTWINDOW\vstest.executionengine.x86.exe Volvo.VTOM.UtilityComponentTests.Logging.VTOMLoggerTests:Void LogError()",
"type" => "applicationerror",
"title" => "test"
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.