We are using this below grok pattern :
grok {
match => {
message => "^%{TIMESTAMP_ISO8601:timestamp_match}\s*%{WORD:system}\s*%{LOGLEVEL:loglevel}\s*%{SYSLOGHOST:session_id}\s*%{SYSLOGHOST:req_id}\s*%{WORD:user}\s*%{WORD:channel}\s*-\s*%{USERNAME:rqrs}\s*%{GREEDYDATA:message_text}\s*"
}
Log: 2019-01-10T12:50:00,362 system INFO 187b2850-14bd-11e9-be75-0a0484180000 187b2648-14bd-11e9-be75-0a0484180000 System system - REQUEST {method=GET, path=/LCLG/lclg/pending-activation-status, headers={SOAPAction="", requestId=187b2648-14bd-11e9-be75-0a0484180000, Connection=Keep-Alive, Host=...153:30**, sessionId=187b2850-14bd-11e9-be75-0a0484180000, userName=Syst
We need to fetch path (path=/LCLG/lclg/pending-activation-status) from messege_text field (messege_text field created in Grok Pateern) and add it in a new field "path" .