How to grok a certain fields from a log file

Elastic Stack Logstash
1

Preformatted textHi All,

I am quite new to the magic world of Grok. Any help will be thankful.

I need to apply filter for the following file.

2022-08-22 22:18:59 , 666 INFO @ (blockurcolumn-11) [rbbit_MQ_Versa.appache 75] start collection of :
messageid: 8765568

<sol:create Id="8765568">
com:createlibidFR%67com:createlibid
com:doinglibidFRANCEcom:doinglibid
com:complelibidTRUEcom:complelibid
</sol:create Id>

==================================================
The grok pattern i am trying to use
(?m)(?<Rabbit_datetimeTMP>.{23}) %{LOGLEVEL:Level}.messageid:\s%{BASE10NUM:Id}
<%{GREEDYDATA:Data}>

Requirement:
I need to grok the datetime logelevel message id and the first line of xml() . starts with< and ends with >.
unfortunately its taking the entire xml format.

5

This is working in grok debugger:
(?m)(?<Rabbit_datetimeTMP>.{23})\s*%{LOGLEVEL:Level}\s*%{DATA}messageid:\s*%{POSINT:messageid}%{DATA}<%{DATA:msg}>%{GREEDYDATA}

{
  "Rabbit_datetimeTMP": [
    [
      "22-08-22 22:18:59 , 666"
    ]
  ],
  "Level": [
    [
      "INFO"
    ]
  ],
  "DATA": [
    [
      "@ (blockurcolumn-11) [rbbit_MQ_Versa.appache 75] start collection of :\n",
      "\n\n"
    ]
  ],
  "messageid": [
    [
      "8765568"
    ]
  ],
  "msg": [
    [
      "sol:create Id="8765568""
    ]
  ],
  "GREEDYDATA": [
    [
      "\ncom:createlibidFR%67com:createlibid\ncom:doinglibidFRANCEcom:doinglibid\ncom:complelibidTRUEcom:complelibid\n</sol:create Id>"
    ]
  ]
}
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.