Hi!
I have some old (hybris) logs to be parsed via ELK stack.
I have made a well functioning grok matcher which workes on both https://grokdebug.herokuapp.com/ and http://grokconstructor.appspot.com/do/match, but fails in Logstash.
The log types I have to take care of:
- INFO | jvm 1 | main | 2018/07/24 11:45:04.599 | 2018-07-24 11:45:04,567 FATAL (synchronizeLoginsJob) [Job] Caught throwable null
- INFO | jvm 1 | main | 2018/07/24 11:40:04.632 | 2018-07-24 11:40:04,534 INFO (deleteRequiredCronJob) [SolrExtIndexerJob] Started ext indexer cronjob.
- INFO | jvm 1 | main | 2018/07/24 11:45:04.599 | java.lang.NullPointerException
The pattern I am using:
.+|.+|.+| (?<log_date>\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}.\d{3}) |(.* %{LOGLEVEL:log_level})?[ ]+%{GREEDYDATA:log_message}
The 1st two logs get _grokparsefailure tag, but the 3rd gets parsed properly.
As I noticed the problem is around the second timestamp, but I have no more idea how to fix this.
I have also tried to write a pattern for the second timestamp instead of the ".*", but that didn't solve the problem.
Any hints would be really appreciated here!
Cheers,
Adam