How to parse log file with different types of messages

Kennedy_Kan1 · July 7, 2016, 7:39am

Hi everyone,

I have a log file which contains complicated message types. Here is an example:

2016-07-07 13:30:02 [UnzipFile] Before file collection
2016-07-07 13:30:02 [GetZipCol] Start get sorted zip file collection
2016-07-07 13:30:02 [GetZipCol] ProcessDate: 2016-07-07
2016-07-07 13:30:02 [GetZipCol] End get sorted zip file collection
2016-07-07 13:30:02 [Main] [ERROR] No unzip file

The following grok pattern is only suitable for first 4 lines but not last line.

grok{
	match => {"message" => ['%{Date:Date}%{SPACE}%{Time:Time}%{SPACE}%{WORD:Job}%{SPACE}%{GREEDYDATA:Message}']}
    	}

I would like to know how should I modify the grok pattern as to capture[ERROR] from the last message. Is there anyone know how the way to do this?

Thanks.

magnusbaeck · July 7, 2016, 8:16am

I'm surprised that WORD works for matching [UnzipFile]. Assuming you don't really want the square brackets in your fields, this untested example removes them and supports the optional [ERROR]:

%{Date:Date}%{SPACE}%{Time:Time}%{SPACE}\[%{WORD:Job}\](%{SPACE}\[%{WORD:whatever}\])?%{SPACE}%{GREEDYDATA:Message}

The key here is (...)? for making a group of tokens optional.

You can also list multiple grok expressions in the same filter and Logstash will try them all in order and break when it gets a match. There's an example of this in the documentation.

Topic		Replies	Views
I need to parse this log message format Logstash	11	2427	April 2, 2019
Logstash Grok pattern match issue Logstash	4	432	September 24, 2021
Multiple Date formats in one file Logstash	4	2512	June 20, 2017
Help with grok pattern Logstash	2	231	June 4, 2021
Match and extract last part of log in pipe delimited log Logstash	3	2197	July 19, 2017

How to parse log file with different types of messages

Related topics