Grok pattern construction

hitman · June 1, 2018, 5:46am

hi guys.....i m new to logsatsh and i am unable to understand this grok filter.i m providing my logs here...can anyone please provide the grok pattern and explain how?

2018-05-25 10:53:21.7529 TRACE Parameter Name : schoolid, Parameter Value : 80

magnusbaeck · June 1, 2018, 6:17am

Have you tried using the grok constructor web site?

What's the expected result of the grok filter? Is it okay to capture "Parameter Name : schoolid, Parameter Value : 80" into a single field or do you want a schoolid field containing 80? If so, do all messages look like this?

hitman · June 1, 2018, 6:19am

2018-05-25 10:53:15.8779 TRACE StoredProcedure Name : sp_gov_login_check
2018-05-25 10:53:15.9561 TRACE Parameter Name : username, Parameter Value : blrprincipal
2018-05-25 10:53:19.2373 TRACE StoredProcedure Name : sp_gov_getusertype
2018-05-25 10:53:19.2373 TRACE Parameter Name : username, Parameter Value : blrprincipal
2018-05-25 10:53:19.8623 TRACE StoredProcedure Name : sp_gov_login
2018-05-25 10:53:19.8623 TRACE Parameter Name : username, Parameter Value : blrprincipal
2018-05-25 10:53:21.7529 TRACE StoredProcedure Name : sp_gov_dashboard_admin_sk_getcurriculumprogress
2018-05-25 10:53:21.7529 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:21.7529 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:21.7529 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:21.7842 TRACE StoredProcedure Name : sp_gov_dashboard_admin_sk_getstaffattendnace
2018-05-25 10:53:21.7842 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:21.7842 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:21.7842 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:21.7998 TRACE StoredProcedure Name : sp_gov_dashboard_admin_sk_getstudentsattendnace
2018-05-25 10:53:21.7998 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:21.7998 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:21.7998 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:22.1592 TRACE StoredProcedure Name : sp_gov_dashboard_admin_getschoolkpisstatus
2018-05-25 10:53:22.1592 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.1592 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.1592 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:22.3467 TRACE StoredProcedure Name : sp_notice_board_get
2018-05-25 10:53:22.3467 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.3467 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.3467 TRACE Parameter Name : typ, Parameter Value : noticeboard
2018-05-25 10:53:22.4873 TRACE StoredProcedure Name : sp_gov_dashboard_admin_sk_getstudentsmarks
2018-05-25 10:53:22.4873 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.4873 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.4873 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:22.8624 TRACE StoredProcedure Name : sp_notice_board_get
2018-05-25 10:53:22.8624 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.8624 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.8624 TRACE Parameter Name : typ, Parameter Value : timeline
2018-05-25 10:53:22.8936 TRACE StoredProcedure Name : sp_gov_custom_forms_getcustomforms
2018-05-25 10:53:22.8936 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.8936 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.8936 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:22.9092 TRACE StoredProcedure Name : sp_gov_reports_getallexporttypes
2018-05-25 10:53:22.9092 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.9092 TRACE Parameter Name : schoolid, Parameter Value : 80
2018-05-25 10:53:22.9248 TRACE StoredProcedure Name : sp_gov_dashboard_admin_getstudentsattendance_report
2018-05-25 10:53:22.9248 TRACE Parameter Name : userid, Parameter Value : 3623
2018-05-25 10:53:22.9248 TRACE Parameter Name : instituteid, Parameter Value : 83
2018-05-25 10:53:22.9248 TRACE Parameter Name : stateid, Parameter Value : 0
2018-05-25 10:53:22.9248 TRACE Parameter Name : acyear, Parameter Value : 2017
2018-05-25 10:53:22.9404 TRACE StoredProcedure Name : sp_gov_custom_forms_getschoolcustomforms

magnusbaeck · June 1, 2018, 6:20am

Okay, but that only answers my last question.

hitman · June 1, 2018, 6:24am

those r my log files and i need to know how to get grok patern.yeah i used grok constructor ...but as i m new to this i dont understand the results.

magnusbaeck · June 1, 2018, 6:25am

I repeat: What's the expected result of the grok filter? Is it okay to capture "Parameter Name : schoolid, Parameter Value : 80" into a single field or do you want a schoolid field containing 80?

We can't help you if you can't tell us what you expect to get.

What did you come up with so far?

system · June 29, 2018, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern creation Logstash	3	257	July 10, 2018
GROK: help with pattern Logstash	4	257	June 17, 2021
Grok pattern Logstash	3	254	November 10, 2021
Having problems parsing data Logstash	4	305	February 18, 2021
Grok_help Logstash	8	284	June 11, 2018

Grok pattern construction

Related Topics