I'm having quite a bit of trouble with parsing some java logs. The log output format is the standard java logging format, matching the pattern defined in %{JAVALOGMESSAGE}.
The application is running on jboss inside a docker container. Output is sent to stdout on the container, collected by Logspout, sent to Redis using a Logspout plugin that sends output in Logstash format, and then my logstash indexer retrieves it from there.
Without any parsing applied, I am seeing my message field content come out like this in Kibana, according to the raw JSON tab:
\u001b[0m\u001b[0m20:58:07,382 INFO [thingdoer.thing2] (default task-28) Doingthings.getthing(126822)
Which appears as the following, when viewed from the default table tab in Kibana:
[0m[0m20:58:07,382 INFO [thingdoer.thing2] (default task-28) Doingthings.getthing(126822)
Not sure why the [0m at the start of the log message is getting doubled up like that by logstash. The stdout in the application doesn't appear that way. But despite that, I've been trying to grok out the pattern so I can capture the information in the logs and map it to different fields on the document.
The first pattern I first tried using was:
\u001b[0m\u001b%{JAVALOGMESSAGE}
Despite the painful look of it, when I feed that + some sample logs of this format into grokconstructor.appspot.com, it says it matches the entire thing. However, when I tell logspout to grok it like so, it apparently hurts Logstash's brain as well, and returns a grok parse failure field on the event in logstash.
The configuration I am using looks like this:
filter {
grok {
match => {
"message" => "\u001b[0m\u001b%{JAVALOGMESSAGE}"
}
}
}
What am I missing here, in this grok pattern? Seems like it should work. Thanks for any help.