Grok result can not find my data field

Chita_Rain · September 14, 2016, 6:39am

I try to use Grok to match some log like below:
[2016-09-07 00:00:02] online.INFO: GenerateLogData: {"userType":"MERCHANT","targetPlatformUserNo":"5mwe"}
with pattern :
\[%{TIMESTAMP_ISO8601:timestamp}\] %{DATA:env}\.%{DATA:severity}: %{DATA:basetype}:%{DATA:json}

but the result is something unexpected

{
    "@timestamp" => "2016-09-14T06:28:00.505Z",
       "message" => "[2016-09-07 00:00:02] online.INFO: GenerateLogData:{\"userType\":\"MERCHANT\",\"targetPlatformUserNo\":\"5mwe\"}  ",
      "@version" => "1",
          "host" => "0fbd5f9e910a",
     "timestamp" => "2016-09-07 00:00:02",
           "env" => "online",
      "severity" => "INFO",
      "basetype" => "GenerateLogData"
}

where is my json field?

magnusbaeck · September 14, 2016, 7:13am

DATA is non-greedy, i.e. it's perfectly happy with matching nothing. If you change the grok expression to either

...%{DATA:json}$

or

...%{GREEDYDATA:json}

it'll work. You should also be careful with multiple DATA patterns in the same expression (especially if combined with GREEDYDATA). Depending on the expression and the input you can easily get unexpected matches.

Chita_Rain · September 14, 2016, 9:18am

thanks!
you are my savior

Topic		Replies	Views
Logstash Grok pattern GREEDYDATA does not match Logstash	5	1272	December 26, 2018
Remain json data as field in Logstash Logstash	4	1511	July 6, 2017
Grok is not parsing GREEDYDATA field Logstash	6	8285	July 6, 2017
Need Help for grok pattern for logstash-2.1.0 Logstash	2	592	July 6, 2017
Logstash grok parser Logstash	1	346	September 20, 2018

Grok result can not find my data field

Related topics