Hi,
I am trying to parse the following Log Events in Logstash Using Grok Pattern:
[3/19/19 9:11:44:401 UTC] 0000017f ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [FileNetEngine] [/acce] [/launch.jsp]: Initialization successful.
[3/19/19 9:11:44:299 UTC] 0000017f SystemOut O SUCCESSFULLY LOADED ESAPI_validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
The Grok Pattern for this is as follows:
%{DATESTAMP:time} %{NOTSPACE} %{NOTSPACE:thread} %{WORD:LogSource}%{SPACE} %{WORD:sev} %{NOTSPACE} %{NOTSPACE} %{WORD:ErrorCode}%{NOTSPACE}%{GREEDYDATA:JavaMessage}
So I got the following result for the 1st events as follows:
{
"time": [
[
"3/19/19 9:11:44:401"
]
],
"thread": [
[
"0000017f"
]
],
"LogSource": [
[
"ServletWrappe"
]
],
"sev": [
[
"I"
]
],
"ErrorCode": [
[
"SRVE0242I"
]
],
"JavaMessage": [
[
" [FileNetEngine] [/acce] [/launch.jsp]: Initialization successful."
]
]
}
But while parsing the second event getting the Unneccesary values in the "ErrorCode(This field should be blank for this Event)", "JavaMessage" etc..
The result for 2nd log event as follows:
{
"time": [
[
"3/19/19 9:11:44:299"
]
],
"thread": [
[
"0000017f"
]
],
"LogSource": [
[
"SystemOut"
]
],
"sev": [
[
"O"
]
],
"ErrorCode": [
[
"ESAPI_validation" #needed it to be the Blank
]
],
"JavaMessage": [
[
" via the CLASSPATH from '/ (root)' using current thread context class loader!"
]
]
}
Can you please help me with this..