How to retrieve a string that starts with another string using grok?

Siri_sour · August 13, 2019, 2:48pm

Hi everyone,
I just starting working with es and kibana, right now I'm trying to structure this log :

2019-08-13 03:37:49,738 [default task-28] ERROR [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] sessionhash="8263c56211a7cc77fdd047d09b6ab8d2" requestid="56510X1565681869629" IJ000315: Pool QueueConnectionFactory has 1 active handles

I wan't to get something like this:
{
"timestamp": "2019-08-13 03:37:49,738"
"task": "default task-28",
"loglevel": "ERROR",
"package": "org.jboss.jca.core.connectionmanager.listener.TxConnectionListener",
"sessionhash":"8263c56211a7cc77fdd047d09b6ab8d2",
"requestid"="56510X1565681869629",
"message"="IJ000315: Pool QueueConnectionFactory has 1 active handles"

}

How can I retrieve the sessionhash and requestid ?

Thanks in advance !

Badger · August 13, 2019, 3:08pm

The following would do it

    dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{+[@metadata][timestamp]} [%{task}] %{loglevel} [%{package}] %{[@metadata][restOfLine]}" } }
    date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd HH:mm:ss,SSS" ] }
    grok {
        match => {
            "[@metadata][restOfLine]" => [
                '^sessionhash="%{BASE16NUM:sessionhash}" requestid="%{WORD:requestid}" %{GREEDYDATA:message}'
            ]
        }
        overwrite => [ "message" ]
    }

I use dissect to parse the first part of the message which will be common to different messages. (I am assuming you later want to parse other messages, if that is not true you can fold the grok into the dissect and do it all in one filter.)

Siri_sour · August 15, 2019, 2:00pm

Thank you so much, I did some modifications but this was the exact thing I needed.

system · September 12, 2019, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.