I want to combine field

BlackCat · March 25, 2021, 7:47am

I want to new create "Message" field by "Thread" + "Loglevel" + "Content".
Please teach me how to do it.

Raw log.

[13172] [INFO] 2021-03-25 09:18:21.150 +0900 : Java class name: org.apache.catalina.startup.Bootstrap; Method name: main; Arguments: start

I use below grok.

%{NOTSPACE:Thread} %{NOTSPACE:Loglevel} %{TIMESTAMP_ISO8601:Time} %{ISO8601_TIMEZONE} %{GREEDYDATA:Content}

Structured Data.

{
  "Loglevel": "[INFO]",
  "Content": ": Java class name: org.apache.catalina.startup.Bootstrap; Method name: main; Arguments: start",
  "Time": "2021-03-25 09:18:21.150",
  "Thread": "[13172]"
}

Badger · March 25, 2021, 5:50pm

You can create a field using sprintf references

mutate { replace => { "message" => "%{Thread} %{Loglevel} %{Content}" } }

BlackCat · March 26, 2021, 1:46am

Thank you for your reply.

I thought same your solution.
Cause is above "else if" part and I replaced.
I use file name in "else if".

It work.

system · April 23, 2021, 1:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.