Help with a grok filter for Docker

DannielWhatever · October 13, 2017, 4:38pm

Hello guys,

I pretty noob in Elastic, and I trying to implement a filter, for the messages of a SpringBoot application running on docker, that is sending the logs to Logstash using the syslog driver.
The messages seems like:

"message": "<30>Oct 13 13:29:51 container-name[10039]: 2017-10-13 16:29:51.551  INFO 1 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]"

The most important for me, is extracting the container-name to a new field.
Im using the next pattern , bit is not working.

match => { "message" => "<%{NUMBER:whatever}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }

Thank u in advance

magnusbaeck · October 17, 2017, 5:34am

You're trying to use SYSLOGHOST to match container-name[10039]: but that won't work. You can use the grok constructor web site to find a better expression.

system · November 14, 2017, 5:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration in Logstash don't match logging of docker container Logstash	6	550	July 4, 2020
Logstash with grok patterns applied on logs coming out of docker containers Logstash docker	4	2763	June 25, 2019
Grokparsefailure but passes grok debugger Logstash	3	762	July 6, 2017
Logstash Filter, is there a better way than mine Logstash	4	224	May 6, 2022
Date filter seems to remove message Logstash	5	1420	July 13, 2017

Help with a grok filter for Docker

Related topics