Grok - Optional Spacing

chunter85 · April 26, 2018, 3:01pm

I am having an issue where we have vary amounts of white space after our logger name. There are 13 characters reserved for this field and depending on what the logger is called depends on how much white space there is present after it. This is what appears to be causing me issues.

The Grok pattern I have at the moment is:

[%{DATE:Date} %{TIME:Time} %{WORD:TimeZone}] %{WORD:Thread} %{WORD:LoggerName} %{SPACE} %{WORD:Code}

Example that works and parses correctly:
[26/04/18 15:20:29:737 BST] 000000f6 SystemOut O

Example that does not work, the I character isn't being parsed:
[26/04/18 15:17:20:858 BST] 0002cb77 LdapConnectio I

If I change the %{SPACE} to %{NOSPACE} the I character is then ignored and the 1st part of my error is picked up instead.

atira · April 26, 2018, 3:55pm

The two examples are, from the pattern's point of view, equivalent. Are you sure the forum is displaying it right? I see only one space between in both examples.

chunter85 · April 26, 2018, 6:57pm

It does look like the forum has done something. It done it again while trying to post again. There should be 5 white spaces in example 1 between SystemOut and O as opposed to just 1 white space in example 2 between LdapConnectio and I.

GROK

I have patterns that match one statement or the other, but haven't managed to get a pattern that matches them both correctly.

I have taken a screen grab and shared that.

Any help would be greatly appreciated.

darkmoon · April 26, 2018, 7:17pm

[%{DATE:Date} %{TIME:Time} %{WORD:TimeZone}] %{WORD:Thread} %{WORD:LoggerName} %{SPACE} %{WORD:Code}

Try:

[%{DATE:Date}\s+%{TIME:Time}\s+%{NOTSPACE:TimeZone}]\s+%{NOTSPACE:Thread}\s+%{NOTSPACE:LoggerName}\s+%{NOTSPACE:Code}

Maybe? (escape the square brackets and explicitly make the whitespaces variable length. I also avoid WORD because it uses \b internally, but that's because it breaks other things I do.)

chunter85 · April 27, 2018, 8:20am

Thanks for the reply... It got me in the right direction.

I have ended up with the below which is fit for purpose for what I need for now. I appreciate the tip around using WORD, or not using it.

[%{DATE:Date} %{TIME:Time} %{WORD:TimeZone}] %{WORD:Thread} %{WORD:LoggerName}\s+%{NOTSPACE:Code}%{GREEDYDATA:ErrorMessage}

atira · April 27, 2018, 4:43pm

The reason your original pattern didn't work is that the %{SPACE} part had one space before and after it. That's two spaces, minimum.
There is however only one space in LdapConnectio I, so the pattern didn't match.

system · May 25, 2018, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.