GROK pattern for message

_gandhe · April 1, 2019, 4:32am

I have following log line: -

2019-03-29 05:20:18 INFO::ModelId=model-cps-czooarea05nap01::ServiceName=Data Monitoring Tool::SolutionName=PM::ProcessStep=sitetags::SystemGuid=1d950a95-861b-47d8-b44e-2e220da138cc::Quality=Good::Description=Operation check is Success.

I want to extract following values using GROK pattern: -
model-cps-czooarea05nap01
Data Monitoring Tool
PM
sitetags
1d950a95-861b-47d8-b44e-2e220da138cc
Good
Operation check is Success.

I am stuck at extracting "Data Monitoring Tool" as it consists of spaces within the words.
Here is pattern so far

%{TIMESTAMP_ISO8601:LogDate} %{LOGLEVEL:Status}::ModelId=%{DATA:ModelID}::ServiceName=%{DATA}

spinscale · April 1, 2019, 8:06am

hey,

instead of using grok, how about the kv ingest processor? See this example

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "_description",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "%{TIMESTAMP_ISO8601:date} %{WORD:loglevel}::%{GREEDYDATA:keys}"
          ]
        }
      },
      {
        "kv": {
          "field": "keys",
          "field_split": "::",
          "value_split": "=",
          "target_field" : "my_keys"
        }
      },
      {
        "remove": {
          "field": [ "message", "keys" ]
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "message": "2019-03-29 05:20:18 INFO::ModelId=model-cps-czooarea05nap01::ServiceName=Data Monitoring Tool::SolutionName=PM::ProcessStep=sitetags::SystemGuid=1d950a95-861b-47d8-b44e-2e220da138cc::Quality=Good::Description=Operation check is Success."
      }
    }
  ]
}

system · April 29, 2019, 8:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.