I want to create grok pattern for custom log

Atul_Gunjal · April 8, 2020, 1:58pm

Hi,
Following is a log-pattern and I tried creating one but it didn't work.

Log:

2020-04-07	00:00:02	Local0	Info	00:00:01:911	DMSTST-TBOX.DEV.cloud.companyname.com	DEV\DMSTST-TBOX$|17352|DICOM Service	VMSDBD_SVC_DICOM	008940/Remote Implementation Class UID: '1.2.276.0.7230010.3.0.3.6.3', Implementation Version Name: 'OFFIS_DCMTK_363'

Pattern:

%{TIMESTAMP_ISO8601:date} \t %{KEYWORD:typedata} %{KEYWORD:loglevel} %{GREEDYDATA} %{KEYWORD:host} %{KEYWORD:serviceinfo} %{KEYWORD:component} %{TEXT:messagefield}

Can anyone help me with this?

Badger · April 8, 2020, 2:13pm

How have you defined the KEYWORD pattern?

Atul_Gunjal · April 8, 2020, 2:27pm

I am using KEYWORD as datatype mapping.

Badger · April 8, 2020, 4:02pm

A grok pattern and an elasticsearch mapping are unrelated concepts.

Atul_Gunjal · April 9, 2020, 4:16am

I just want to create grok for tab separated field but I don't know ho to do that...even I tried with grok constructor but seems tab is not working.

Badger · April 9, 2020, 2:42pm

You can just use a literal tab in the pattern.

Atul_Gunjal · April 16, 2020, 10:19am

%{TIMEFORMAT:eventtime}\t%{WORD:typedata}\t%{WORD:loglevel}\t%{GREEDYDATA}\t%{GREEDYDATA:host}\t%{SERVMSG}

TIMEFORMAT %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME}
SERVMSG %{GREEDYDATA:serviceinfo}\t\t%{GREEDYDATA:message}|%{GREEDYDATA:message}

works well.
Thanks.

system · May 14, 2020, 10:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.