Help with particular grok pattern (SOLVED)

sbampa · September 20, 2017, 2:14pm

Hi all,
i have a little problem with this type of log:

Wed Sep 20 16:02:39 2017 (186085) -7- ================= FUNCTOR WAITING FOR MSG =================
Wed Sep 20 16:02:39 2017 (284410) -7- <----------RECVFROM <- len [193] bytes
Wed Sep 20 16:02:39 2017 (340305) -7- Received():13624,0,20001,QLen is 0
Wed Sep 20 16:02:39 2017 (340329) -7- IPCMutexResource::lock
Wed Sep 20 16:02:39 2017 (340337) -7- FUNCTOR-ROW: Received pid=13624 id=0 loop=0 port=20001 queuelen=0 recv=258976 sent=258953 status=3

I'm using the followinf configuration in logstash:

filter {
grok {
match => ["message", "\A%{HTTPDERROR_DATE:timestamp} (%{NUMBER:bytes}) %{GREEDYDATA:message} "]
}
date {
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy" ]
timezone => "Europe/Rome"
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp" ]
}

I would like to have every line separate from the other, so the separator is the date, but if the timestamp is equal, i will have all messages in a single block.

Can you help me please?

warkolm · September 21, 2017, 1:37am

It won't do that, it will treat each line as a separate event.

However your pattern isn't valid, it should be;

%{HTTPDERROR_DATE:timestamp} \(%{NUMBER:bytes}\) %{GREEDYDATA:message}

sbampa · September 21, 2017, 8:13am

Hi all,
problem was solved.
I have for other logs the following properties enabled:
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

Disabled the rules, now logs has been processed in the right manner.
Thank's to everyone.

system · October 19, 2017, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.