How to filter using Grok

udhaya_kumar · July 20, 2018, 8:21am

2018-07-17 20:33:19 :: INFO :: Received Message from end System 12194779568228871 :: c.s.d.l.g.CBInitRequestListener:21 - Received a DDA Init Request from MCB...{
"header" : {
"msgSender" : "MCB",
"trackingId" : "M00320180605133A1643455",
"ctryCd" : "HK",
"evtCd" : "A",
"chanId" : "XXXX",
"msgTimestamp" : "2018-06-05T10:53:25.906"
},
"data" : {
"mndt" : {
"mndtId" : "003/MNDUSE9122",
"mndtReqId" : "M00320180605133A1643455",
"mndtTypCd" : "DDMP",
"mndtSeqTp" : "OOFF",
"mndtFrqcy" : "FRTN",
"cntPerPrd" : "8",
"frDt" : "2018-07-17",
"toDt" : "2018-12-12",
"trckgInd" : "false",
"colltnAmt" : "1232323.01",
"ccyCd" : "HKD",
"mndtRsn" : "NWSTUP",
"ref" : "inward_create_SLA_cut"
},
"cdtrInfo" : {
"cdrNm" : "MSIG INSURANCE (HONG KONG) LTD",
"cdtrAcct" : "1359879",
"cdtrAcctTyp" : "BBAN",
"cdrBkcd" : "003"
},
"dbtrInfo" : {
"dbtrNm" : "WONG SIU MING",
"dbtrAcct" : "123456",
"dbtrAcctTyp" : "BBAN",
"dbtrBkcd" : "004",
"ultmtDbtrNm" : "Saninty inward 1"
}
}
}

If I search based on tracking id ,json message should come.How can I implement this one? Please help to write logstash conf file.

Krunal_kalaria · July 20, 2018, 8:40am

Hi @udhaya_kumar,

What you want exactly ?

Can you more explain me ?

Thanks & Regards,
Krunal.

udhaya_kumar · July 20, 2018, 9:49am

Hi Kalaria,

Thanks for your Reply.I just want to filter JSON message in the log.I have tried the below but it was not working,

input {

beats {
port => "5044"
}

}

filter {

grok {
match => { "message" => " %{JAVACLASS}:21 - Received a DDA Init Request from GCG...{
%{QUOTEDSTRING} : {
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING}
},
%{QUOTEDSTRING} : {
%{QUOTEDSTRING} : {
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING}
},
%{QUOTEDSTRING} : {
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING}
},
%{QUOTEDSTRING} : {
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING},
%{QUOTEDSTRING} : %{QUOTEDSTRING}
}
}
}"

}
}

json {
source => "message"
target => "jsonString"
}

}

output {
elasticsearch {
hosts => ["localhost:9200"]
}

}

Please help me in this.

Badger · July 20, 2018, 10:09am

Try

filter {
    grok { match => [ "message", "Received a DDA Init Request from %{WORD}\.\.\.%{GREEDYDATA:restOfLine}" ] }
    json { source => "restOfLine" }
}

udhaya_kumar · July 24, 2018, 7:21am

Hi Badger,

I have tried the above but still it is not working.

Badger · July 24, 2018, 11:19am

What is not working? What is the input, what is the configuration, and what do you not like about the output?

system · August 21, 2018, 11:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.