Hi
I have a difficult log for me.
Because sometimes I have nested bracket and sometimes i don't
How to parse it in a grok.
[2022-09-05 17:27:24,537] [apps-thread | test-policy] WARN
[2022-09-06 14:19:25,708] [App (app-1) thread #1 - AppsConsumer[apps-notify]] INFO
grok {
match => [ "message", "\[%{TIMESTAMP_ISO8601:timestamp}\] \[HOW TO HANDLE THIS:thread\] %{LOGLEVEL:log_level}" ]
tag_on_failure => ["failed-to-parse"]
}
Please help
You could try
"^\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{GREEDYDATA:someField}\] %{LOGLEVEL:log_level}$"
Thanks, I was convinced that the above proposal would give me:
{
"log_level": "] INFO",
"someField": "App (app-1) thread # 1 - AppsConsumer [apps-notify",
"timestamp": "2022-09-06 14:19: 25,708"
}
because the grok will stop on the first squere bracket "]"
Today in the morning I understand that there is a squere bracket space log_level, which is why it does not stop on the first bracket
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.