How to account for different number of blank spaces in Log4j logs?

ZillaG · June 21, 2016, 9:39pm

I have the following log4j logs

2016-04-22 16:43:25,172 ERROR :SomeThread : 2 [com.mycompany.SomeClass]  The Log Message.
2016-06-11 01:22:40,894 INFO  :SomeThread1 : 0 [com.mycompany.SomeClass1] The Log message

I have the following Grok filter

filter {
    mutate {
      strip => "message"
    }
    grok {
      match => {
        "message" => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:loglevel} :%{DATA:thread} : %{NUMBER:thread_pool} \[(?<classname>[^\]]+)\] %{SPACE} %{GREEDYDATA:msgbody}"
      }
    }
    date {
      match => ["logdate", "yyyy-MM-dd HH:mm:ss,SSS", "ISO8601"]
    }
}

However it only works for the ERROR log and not the INFO log, since ERROR takes up 5 spaces, and INFO 4 spaces, so there is ONE space between ERROR and :SomeThread, whereas there are TWO spaces between INFO and :SomeThread1.

How can I account for the different number of spaces between fields when writing Grok patterns?

marke72 · June 21, 2016, 9:59pm

I was actually messing with some extra spaces in grok today. My logs varied between 1 to 5 spaces and instead of putting actual spaces I used \s+ which is the regular expression for 1 or more spaces.
Try putting \s+ at the end of %{LOGLEVEL:loglevel} and see if that does the trick.

ZillaG · June 21, 2016, 10:02pm

Using %{SPACE} did the trick for me. So here's the filter

%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}:%{DATA:thread}%{SPACE}:%{SPACE}%{NUMBER:thread_pool}%{SPACE}\[(?<classname>[^\]]+)\]%{SPACE}%{GREEDYDATA:msgbody}

I'll try @marke72 idea too.

marke72 · June 21, 2016, 10:08pm

They both should work. %{SPACE} is just \s* I just use \s+ because I'm expecting at least one space.
Here's a reference https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns

ZillaG · June 21, 2016, 10:14pm

Yep makes sense now. I'm new to this too.