Grok parse failure splitting in to 3 blocks

karlm · July 6, 2020, 9:48am

I have a log file, with multiple lines like so

03-Jul-2020 10:24:00.773 +01:00 [ERR] this is the error message message

I have a grok filter trying to extract the log in 3 separate blocks

1. DateTime 
2. Priority 
3. Message

my filter does not seem to be parsing the information

 "tags": [
            "_grokparsefailure"
            ],


grok {

        match => { "message" => "%{MONTHDAY}[./-]%{MONTH}[./-]%{YEAR}[ ]%{HOUR}[./::]%{MINUTE}[./::]%{SECOND}[ ]%{ISO8601_TIMEZONE} /[%{WORD:priority}/] " }

    }

Badger · July 6, 2020, 4:58pm

They should be backslashes, not forward slashes.

That said, I would do this using dissect, not grok.

dissect { mapping => { "message" => "%{[@metadata][ts]} %{+[@metadata][ts]} %{+[@metadata][ts]} [%{pri}] %{msg}" } }

Kurt_S · July 7, 2020, 3:14pm

Looks like you could you use the grok debugger.

It allows you to build your grokpattern incrementally. So you could start with
^%{MONTHDAY}-%{MONTH}...
... and go from there to build the complete pattern.

Also have a look at the patterns section, there could be more complex patterns you could use.

karlm · July 14, 2020, 9:21am

grok {
       match => { "message" => "%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{ISO8601_TIMEZONE} \[%{WORD:priority}\] %{GREEDYDATA:log_message}" }
     }

mutate {
            add_field => {
                "logdate" => "%{year}-%{month}-%{day} %{time}"
            }
        }

       date {
           match => [ "logdate", "yyyy-MMM-dd HH:mm:ss.SSS" ]
       }

       mutate{
           remove_field => [ "day", "month", "year", "time", "logdate" ] 
       }

system · August 11, 2020, 9:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.