Hey all
I'm creating a filter that needs to filter a custom log message. The log message includes at the end the message of the log itself. This message is sometimes separated through comma's.
I want to separate this message into different pieces for input into logstash.
Log message:
417 01/06/2017 05:15:56.138 T[62] FATAL Validate TEST\iusr --+--+--+ApplicationGuid:0768bb11-0b22-43d6-827c-90d081828675, MethodName:GetUser, Valid: True
Grok filter:
%{NUMBER:linenumber} (?<datestamp>%{MONTHDAY}/%{MONTHNUM}/%{YEAR} %{TIME}) (?<thread>T\[%{NUMBER}\]) %{LOGLEVEL:severity} %{DATA:method} (?<user>[^ ]+) (?<log_message>[^,].*) (?<method_name>(MethodName:)(.*,)) (?<is_valid>(Valid:)(.*))
Current result according to https://grokdebug.herokuapp.com/ :
{
"linenumber": [
[
"417"
]
],
"datestamp": [
[
"01/06/2017 05:15:56.138"
]
],
"thread": [
[
"T[62]"
]
],
"severity": [
[
"FATAL"
]
],
"method": [
[
"Validate"
]
],
"user": [
[
"TEST\\iusr"
]
],
"log_message": [
[
"--+--+--+ApplicationGuid:0768bb11-0b22-43d6-827c-90d081828675,"
]
],
"method_name": [
[
"MethodName:GetUser,"
]
],
"is_valid": [
[
"Valid: True"
]
]
}
I tried it through grokdebug.herokuapp.com but it doesn't return a log_message result without the trailing comma. Regex101.com just states that .*[^,] should do the trick, however it doesn't in Grok.
What am I doing wrong?
Thanks for your help!