Grok pattern won't match

sentinel · July 13, 2017, 5:05pm

I have this pattern:
2017-07-13T00:00:04,621 [WARN ][Client-Push:1:3][PfFwdPointSubscriptionService] SEKHKD is disabled
I am able to match up to [client push1:3]

Using this:
\A%{TIMESTAMP_ISO8601:timestamp}\s+[%{LOGLEVEL:loglevel}\s+][(?(?:[A-Za-z0-]:[0-9]:[0-9]))](?(?:[[^.$]]))

I need to get rid of the square brackets by PfFwdPointSubscriptionService. Seems simple but I may be missing something.

{
"timestamp": [
[
"2017-07-13T00:00:04,621"
]
],
"loglevel": [
[
"WARN"
]
],
"thread": [
[
"Client-Push:1:3"
]
],
"bean": [
[
"[PfFwdPointSubscriptionService]"
]
]
}

Makra · July 13, 2017, 5:46pm

For the following log->

2017-07-13T00:00:04,621 [WARN ][Client-Push:1:3][PfFwdPointSubscriptionService] SEKHKD is disabled

The Grok pattern is ->

^%{TIMESTAMP_ISO8601:timestamp},%{NUMBER:tz} \[%{LOGLEVEL:loglevel} \]\[%{GREEDYDATA:client_push}\]\[%{GREEDYDATA:Service}\] %{GREEDYDATA:msg}

Output in https://grokdebug.herokuapp.com/

{
  "timestamp": [
    [
      "2017-07-13T00:00:04"
    ]
  ],
  "tz": [
    [
      "621"
    ]
  ],
  "loglevel": [
    [
      "WARN"
    ]
  ],
  "client_push": [
    [
      "Client-Push:1:3"
    ]
  ],
  "Service": [
    [
      "PfFwdPointSubscriptionService"
    ]
  ],
  "msg": [
    [
      "SEKHKD is disabled"
    ]
  ]
}

system · August 10, 2017, 5:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok not working Logstash	2	562	June 30, 2017
Need Help for grok pattern for logstash-2.1.0 Logstash	2	572	July 6, 2017
_grokparsefailure problem Logstash	3	355	September 4, 2019
Logstash filter plugin (Grok) for custom pattern Not match curly bracket! Logstash	18	910	August 26, 2020
Grok Pattern not matching in Logstash, but matches in Grok Debuggger Logstash	9	451	September 11, 2019

Grok pattern won't match

Related topics