Help with Grok pattern with space in field?

ZillaG · March 27, 2017, 6:55pm

I have the following log...

2017-03-27 14:24:50,607 DEBUG :Finalizer thread [com.company.classname]

...and the following filter

filter {
  grok {
    match => {
      "message" => [
        "%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}:%{HELP_WITH_PATTERN:thread}"
      ]
    }
  }
}

What should "HELP_WITH_PATTERN" be so I get thread => "Finalizer thread"

ZillaG · March 27, 2017, 7:06pm

I should read my own posts

whyapenny · March 27, 2017, 8:13pm

you could also create your own pattern:
NOTBRACKET [^[]+

Then call that:
%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}:%{NOTBRACKET:thread}${GREEDYDATA:theRest}

system · April 24, 2017, 8:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern with space Logstash	2	936	August 4, 2017
GROK Filter for class / thread regex help please Logstash	1	455	January 1, 2019
No Matches for the grok filter Logstash	6	928	April 5, 2018
Grok pattern not working with spaces Logstash	3	325	July 26, 2021
Grok: Pattern appears to be matching but not creating new fields Logstash	4	2032	July 6, 2017

Help with Grok pattern with space in field?

Related topics