Discuss the Elastic Stack

Ignore a string from logstash from grok pattern

Elastic Stack Logstash

whoatemyjam (shantanud) November 26, 2019, 6:30pm 1

hi
from a log file like this

2019-11-22 13:02:01 INFO sometext:999 [applicationId=xxxxx] [version=xxxx] [hostname=hostname.domain] [logmessage=all went well]

can we remove the "sometext" and just show value of 999 so far the pattern i can get is this

filter {
  grok {
    match => { "message" => "%{DATESTAMP} %{LOGLEVEL} .*sometext.\s*:%{BASE10NUM:line}  \[applicationId=%{DATA:applicationId}\] \[version=%{DATA:version}\] \[hostname=%{DATA:hostname}\] \[logmessage=%{DATA:logmessage}\]" }

this works fine when message has "sometext" but can we use a regex to ignore any text that is there for example instead of "sometext" it is "thistext"
Thanks

Badger November 26, 2019, 6:37pm 2

You could use

"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} %{WORD}:%{BASE10NUM:line}"

or even

"^%{TIMESTAMP_ISO8601} %{LOGLEVEL} (?:[^:]+):%{BASE10NUM:line}"

whoatemyjam (shantanud) November 26, 2019, 6:46pm 3

Hi Badger
Thanks for coming back this soon, while waiting i tried this pattern and this worked too

%{DATESTAMP} %{LOGLEVEL} .[a-zA-Z]+.\s:%{BASE10NUM:line}

Also tried your suggested solution and worked perfectly

Many Thanks

Badger November 26, 2019, 6:52pm 4

DATESTAMP should not match "2019-11-22 13:02:01". TIMESTAMP_ISO8601 should.

whoatemyjam (shantanud) November 26, 2019, 6:55pm 5

Many Thanks again , i will correct it now

system (system) Closed December 24, 2019, 6:55pm 6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.