Help with grok for logfile

dhiraj_khanna · July 27, 2017, 12:49pm

I am very new to the ELK stack and have been trying to look at some tutorials to get me started. Would appreciate if someone could point me in the right direction for ingesting the following type of logs. I assume that I would need to put together a grok filter but need a little helping hand :-

2017-07-07 00:00:00,021 ** Jul 07 00:00:00 **
** Jul 07 00:00:00 ** Alerts
** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 **
** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** Sent ** Jul 07 00:00:00 **
** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 **
** Jul 07 00:00:00 ** Commands
** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** ** Jul 07 00:00:00 ** STARTING REPORT AT Fri Jul 07 00:00:00 IST 2017
Totals (R/P/H) 0 | 0 | 0
Received (Recent) 0 | 0.00 /sec
Parsed (Recent) 0 | 0.00 /sec
Handled (Recent) 0 | 0.00 /sec
Tracks (MSCT)
Totals (In/Ok/Bad) 13384470 | 13223515 | 160955
Totals (Ok/Parse) 13223515 | 13223515
Totals (U/D/Discard) 7776339 | 855745 | 4591431
Totals (Ready/Sent) 8632084 | 8632084
Accepted (Recent) 6757 | 56.31 /sec
Parsed (Recent) 6757 | 56.31 /sec
Updated (Recent) 4307 | 35.89 /sec
Dropped (Recent) 309 | 2.57 /sec
Discard (Recent) 2141 | 17.84 /sec
(Recent) 4616 | 38.47 /sec
Tracks (Session)
Data Source (Multicast) 0 | 0.00 /sec
Data Source (Broadcast) 0 | 0.00 /sec
Data Source (TCP) 4645 | 38.71 /sec
Totals (R/P/H) 9331552 | 9331552 | 9331552
Totals (U/D) 7950395 | 1381157
Received (Recent) 4836 | 40.30 /sec
Parsed (Recent) 4836 | 40.30 /sec
Updated (Recent) 4363 | 36.36 /sec
Dropped (Recent) 473 | 3.94 /sec
Handled (Recent) 4836 | 40.30 /sec
Last Received -
Totals (R/P/H) 2917 | 2901 | 0
Received (Recent) 2 | 0.02 /sec
Parsed (Recent) 2 | 0.02 /sec
Handled (Recent) 0 | 0.00 /sec

My attempt at filtering are not even worth mentioning, but this is what I have tried so far %{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA:message}

josephjohney · July 27, 2017, 1:14pm

try experimenting your filters using Grok Debugger Grok debugger

system · August 24, 2017, 1:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.