Hyphen-minus with a new line

Burga · June 10, 2020, 9:36am

Hi , I'm trying to grok log with a multiple lines and Hyphen-minus and got stuck

2020-06-10 10:06:59,821 WARN [ImageFilterEffect:thread-1] [confluence.image.effects.ImageFilterTask] rotateWhenExifExist Could not retrieve exif info.
 -- url: /confluence/download/attachments/125736733/hardware%20certification.jpg | referer: https://wiki.checkpoint.com/confluence/ | traceId: 031d85ca5d5db288 | userName: roniz

here "-- url" is already a new line

my grok filter is

(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} \[%{DATA:thread}\] \[%{DATA}\] %{SPACE}%{WORD}%{SPACE}%{DATA:Error}\.

please need your assistance .

andres-perez · June 10, 2020, 11:57am

Hi!

I don't know about your multiline configuration and intended use case (what to do with the second line with hyphen - minus. " -- url: ..." line.

Anyway, there is a blank space before the %{SPACE}%{WORD}%{SPACE} so your pattern looks for 2 spaces before a word instead of just 1.

You can check it https://grokconstructor.appspot.com/do/match , it's a good idea to start adding elements one by one to your pattern and confirm that they are working as intended.

system · July 8, 2020, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.