Grok type

Vigneshprasanna · February 1, 2018, 12:11pm

what grok i should use for " (http-WEB0001VR%2F10.351.100.19-1000-15) "

magnusbaeck · February 1, 2018, 12:44pm

What is the desired result?

Vigneshprasanna · February 1, 2018, 1:27pm

For below log the given grok is matching in grokdebug but not working in logstash any idea ???

Log:

2018-01-31 00:00:11,896 INFO [STDOUT] (http-WEB0001VR%2F10.351.100.19-1000-15) 00:00:11,896 [com.test.tst.connectivity.fddInvoker] INFO - TVS MSG Response [ CUSTOMER,PARTY.INFO/I/PROCESS///,***************//IN00111521,5269453 ]

Grok

%{TIMESTAMP_ISO8601:timestamp} *%{LOGLEVEL:Status} *[%{DATA:thread}] *(%{DATA:Server}%%{DATA:IP}-%{DATA:PORT}-%{DATA:Request_Response_ID} *%{TIME:Duration} *[%{JAVACLASS:Class}] *%{LOGLEVEL:Core_Status} - %{DATA:Response_From} *[%{GREEDYDATA:Log}]

Website Used : https://grokdebug.herokuapp.com/

!

The above image has the desired output

logstash.conf

Filter part :

filter {
grok {
match => [
"message",
"%{TIMESTAMP_ISO8601:timestamp} *%{LOGLEVEL:Status} *[%{DATA:thread}] *(%{DATA:Server}%%{DATA:IP}-%{DATA:PORT}-%{DATA:Request_Response_ID} *%{TIME:Duration} *[%{JAVACLASS:Class}] *%{LOGLEVEL:Core_Status} - %{DATA:Response_From} *[%{GREEDYDATA:Log}]"
]

}
}

Thanks in advance...

magnusbaeck · February 1, 2018, 1:29pm

Don't use more than one DATA or GREEDYDATA in the same expression. It's computationally expensive and unreliable. Addressing that might fix the problem you're having.

Vigneshprasanna · February 1, 2018, 1:36pm

can you guide me with some other alternate grok ??

Vigneshprasanna · February 1, 2018, 1:58pm

For (http-WEB0001VR%2F10.351.100.19-1000-15) i wanna split it into

"Server" : " http-WEB0001VR%2F10.351.100.19",

"Port" : "1000" &

"Response id" : "15"

How to do it without using DATA please advice.

muthu1086 · February 1, 2018, 2:58pm

You can use below grok for splitting (http-WEB0001VR%2F10.351.100.19-1000-15)

(?[a-z]+-[a-zA-Z0-9]+%[a-zA-Z0-9]+.[0-9]+.[0-9]+.[0-9]+)-(?[0-9]+)-(?[0-9]+)

{
"Server": [
[
"http-WEB0001VR%2F10.351.100.19"
]
],
"port": [
[
"1000"
]
],
"Response id": [
[
"15"
]
]
}

Vigneshprasanna · February 2, 2018, 4:26am

GERR3

Input Log:
2018-01-31 00:00:11,896 INFO [STDOUT] (http-WEB0001VR%2F10.351.100.19-1000-15) 00:00:11,896 [com.test.tst.connectivity.fddInvoker] INFO - TVS MSG Response [ CUSTOMER,PARTY.INFO/I/PROCESS///,***************//IN00111521,5269453 ]

Grok Used

%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:Status} *[%{DATA:thread}] (?[a-z]+-[a-zA-Z0-9]+%[a-zA-Z0-9]+.[0-9]+.[0-9]+.[0-9]+)-(?[0-9]+)-(?[0-9]+) *%{TIME:Duration} *[%{JAVACLASS:Class}] *%{LOGLEVEL:Core_Status} - %{DATA:Response_From} *[%{GREEDYDATA:Log}]

Separately its working but when put to gather its not working

muthu1086 · February 2, 2018, 4:49am

I think you are missing something. Am able to get the filter working.

com

system · March 2, 2018, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.