Grok result can not find my data field

Chita_Rain · September 14, 2016, 6:39am

I try to use Grok to match some log like below:
[2016-09-07 00:00:02] online.INFO: GenerateLogData: {"userType":"MERCHANT","targetPlatformUserNo":"5mwe"}
with pattern :
\[%{TIMESTAMP_ISO8601:timestamp}\] %{DATA:env}\.%{DATA:severity}: %{DATA:basetype}:%{DATA:json}

but the result is something unexpected

{
    "@timestamp" => "2016-09-14T06:28:00.505Z",
       "message" => "[2016-09-07 00:00:02] online.INFO: GenerateLogData:{\"userType\":\"MERCHANT\",\"targetPlatformUserNo\":\"5mwe\"}  ",
      "@version" => "1",
          "host" => "0fbd5f9e910a",
     "timestamp" => "2016-09-07 00:00:02",
           "env" => "online",
      "severity" => "INFO",
      "basetype" => "GenerateLogData"
}

where is my json field?

magnusbaeck · September 14, 2016, 7:13am

DATA is non-greedy, i.e. it's perfectly happy with matching nothing. If you change the grok expression to either

...%{DATA:json}$

or

...%{GREEDYDATA:json}

it'll work. You should also be careful with multiple DATA patterns in the same expression (especially if combined with GREEDYDATA). Depending on the expression and the input you can easily get unexpected matches.

Chita_Rain · September 14, 2016, 9:18am

thanks!
you are my savior

Topic		Replies	Views
Greedydata does not work Logstash	11	2922	July 6, 2017
Make a grok pattern for a field that might be missing Logstash	4	803	April 3, 2023
Need Help for grok pattern for logstash-2.1.0 Logstash	2	572	July 6, 2017
[SOLVED] Grok and Greedydata regex Logstash	9	7897	February 13, 2017
Optional grok pattern field doesnt match Logstash	2	289	February 25, 2021

Grok result can not find my data field

Related topics