How to group space-separated parts of a message into one field in Grok?

ZillaG · March 2, 2017, 4:49pm

I have this log message

2017-03-02 15:52:08,455 INFO  :RMI TCP Connection(80920)-10.53.123.123 [c
    om.company.app]  Hello world

I want to group the "RMI TCP onnection(80920)-10.53.123.123" into one field, called my_connection, so my grok filter looks like this

filter {
  grok {
    match => {
      "message" => [
          "%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}:(?<my_connection>???) ......"
      ]
    }
  }
}

What should the ??? be?

ZillaG · March 2, 2017, 5:29pm

I came up with the following. However, it includes the space before the open square bracket before the classname. How do I rid of the space?

(?<node_connection>[^\[]*)

In other words, I get (space after the last 123 octet)

node_connection = "RMI TCP Connection(80920)-10.53.123.123 "

but I want (no space after last 123 octet)

node_connection = "RMI TCP Connection(80920)-10.53.123.123"

magnusbaeck · March 7, 2017, 6:24am

Just make sure there's a space after the closing parenthesis.

system · April 4, 2017, 6:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with Grok pattern with space in field? Logstash	3	4856	April 24, 2017
Grok filter - issues with spaces and special charecters Logstash	11	8997	June 12, 2017
Trailing Whitespaces in Message Field Logstash	17	491	September 5, 2022
How to strip white space from all fields in logstash Logstash	6	5353	June 12, 2019
How to account for different number of blank spaces in Log4j logs? Logstash	5	2884	July 6, 2017

How to group space-separated parts of a message into one field in Grok?

Related topics