I am trying to parse my log files. It was working however there is a new requirement and I need new field from the parsed logs.
Logs are more or less:
|2018-02-01 13:48:00.882|[v2.8.0.0]|DEBUG|[EndpointFirst] |Session activated (documentId: 508, workflow id: 1)|
|2018-02-01 13:48:00.901|[v2.8.0.0]|INFO|[Custom.EndpointSecond [Document 508]]|Firing event 'DocumentReceived' on state machine with current state 'Initial' and event argument 'CustomArgument'.|
My grok filter:
(?<my_timestamp>%{TIMESTAMP_ISO8601:timestamp})\s*(?<my_version>\[v.{7}])s*(?<my_severity>\s+%{LOGLEVEL:loglevel})\s*(?<my_endpoint>\[.{1,}])\s*(?<my_message>%{DATA:message})
Now I got the following fields (result from test grok patterns):
MATCHED
my_version [v2.8.0.0]
my_timestamp 2018-02-01·13:48:00.901
timestamp 2018-02-01·13:48:00.901
my_endpoint [Custom.EndpointSecond·[Document·508]]
my_message
my_severity ⇥INFO
message
loglevel INFO
after match: Firing event 'DocumentReceived' on state machine with current state 'Initial' and event argument 'CustomArgument'.
What I want to achieve?
- I would like to have new field <my_document> which should be parsed from [Custom.EndpointSecond·[Document·508]] (if there is no log with [Document x] then this field should be empty.
- I would like to have message populated with the string which starts after <my_endpoint> field.
Any help will be appreciated