Grok pattern - sometimes nesting bracket

elkuser1234 · September 6, 2022, 1:15pm

Hi

I have a difficult log for me.
Because sometimes I have nested bracket and sometimes i don't

How to parse it in a grok.

[2022-09-05 17:27:24,537] [apps-thread | test-policy] WARN
[2022-09-06 14:19:25,708] [App (app-1) thread #1 - AppsConsumer[apps-notify]] INFO

        grok {

             match => [ "message", "\[%{TIMESTAMP_ISO8601:timestamp}\] \[HOW TO HANDLE THIS:thread\] %{LOGLEVEL:log_level}" ]
             tag_on_failure => ["failed-to-parse"]


        }

Please help

Badger · September 6, 2022, 4:01pm

You could try

"^\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{GREEDYDATA:someField}\] %{LOGLEVEL:log_level}$"

elkuser1234 · September 7, 2022, 6:34am

Thanks, I was convinced that the above proposal would give me:

{
   "log_level": "] INFO",
   "someField": "App (app-1) thread # 1 - AppsConsumer [apps-notify",
   "timestamp": "2022-09-06 14:19: 25,708"
}

because the grok will stop on the first squere bracket "]"

Today in the morning I understand that there is a squere bracket space log_level, which is why it does not stop on the first bracket

system · October 5, 2022, 6:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok parser and nested brackets Logstash	6	263	April 10, 2023
First time with grok Elasticsearch	3	206	April 26, 2022
Grok Parsing Timestamp Error Logstash	1	294	February 20, 2018
Logstash grok filter for parsing nested data? Logstash	4	2119	April 5, 2017
Using regex grouping and logical OR in a Grok Pattern Logstash	3	14138	July 6, 2017

Grok pattern - sometimes nesting bracket

Related topics