Grok Pattern not parsing

dlopez · May 11, 2016, 10:03am

Hi, I'm trying to parse a log file with content like this:

2016-05-09 12:00:00,006 INFO  [com.level2.quartz.BaseLevel2EngineJob] (MVCScheduler_Worker-1) Executing job It removes expired activation codes
2016-05-09 12:00:00,006 INFO  [com.seglan.mvc.batch.MvcActivationCodesJobImpl] (MVCScheduler_Worker-1) Activation codes cleanup job is running...

I've tested the filter using the Grok Debugger but when starting logstash, nothing is parsed.

Here is my logstash.conf file:

input {
  file {
        path => "/home/dlopez/server.log"
        start_position => "beginning"
       }
}

filter {
   grok {
     match =>
        {
          "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:level}\s+\[%{DATA:className}\]%{SPACE}%{GREEDYDATA:message}"
        }
   }
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    index => "logstash-%{+YYYY.MM.dd}"
  }
}

Is there any way to test the pattern?

Any help would be appreciated. Thanks

Regards

magnusbaeck · May 11, 2016, 10:44am

Comment out the elasticsearch output and replace it with stdout { codec => rubydebug } to shorten the feedback loop. You might also find https://github.com/magnusbaeck/logstash-filter-verifier useful.

dlopez · May 11, 2016, 12:46pm

Thank you very much!

this is what I got:

{
"message" => "2016-05-09 12:00:00,029 DEBUG [com.googlecode.genericdao.search.BaseSearchProcessor] (MVCScheduler_Worker-1) generateQL:",
"@version" => "1",
"@timestamp" => "2016-05-11T12:40:49.362Z",
"path" => "/home/dlopez/server_test.log",
"host" => "sgl-v6-hce-piraeusbank-back",
"tags" => [
[0] "_grokparsefailure"
]
}

My parser is not working fine but I don't know why

Thanks

magnusbaeck · May 11, 2016, 1:21pm

Start small and increase the complexity. Begin with the simplest possible expression (%{TIMESTAMP_ISO8601:timestamp}) and make sure that works. Then add more and more tokens until things break.

diwertowski · May 11, 2016, 1:32pm

You can test your patterns with this debugger:

http://grokdebug.herokuapp.com/

dlopez · May 11, 2016, 1:46pm

Thanks, I've used that debugger to compose and test my pattern but unfortunately once I've moved into the system it doesn't work

diwertowski · May 11, 2016, 2:03pm

Maybe something like this?

%{TIMESTAMP_ISO8601:timestamp} %{WORD:level}\s*\[(?<className>[A-Z,a-z,.,0-9]*)] %{GREEDYDATA:message}

dlopez · May 11, 2016, 2:14pm

Ok, it seems the problem was here:

\s+[%{DATA:className}]

I'm trying to parse the "class name" part of the message, I've tried the following as well but with no luck:

%{TIMESTAMP_ISO8601:timestamp}%{SPACE} %{LOGLEVEL:level} %{SPACE} %{SPACE} \[%{JAVACLASS:class}\] %{SPACE} %{GREEDYDATA:message}

Thanks

dlopez · May 11, 2016, 2:43pm

Well, finally I got it working:

{ "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} \s+[%{JAVACLASS:class}] %{GREEDYDATA:message} " }

I removed all the ${SPACE} and now it can be parsed

Thanks a lot for your help and clues!

Topic		Replies	Views
Grok pattern not working in Logstast Logstash	1	553	April 4, 2019
Grok pattern working fine in grok debugger but the same pattern is not working when running with logstash Logstash	14	2717	February 1, 2018
Grok filter pattern not working Logstash	9	1028	January 10, 2020
_grokparsefailure in Kibana although Grok tester returns "matched" Logstash	6	335	August 10, 2018
Grok filter not being applied but logstash logs being collected Logstash	10	1094	April 2, 2020

Grok Pattern not parsing

Related topics