Iostat grok logstash

Pedro_Vilas-Boas · January 3, 2017, 11:53am

Hey, im trying to process logs from iostat, the problem is i have different machines with 1 or 2 disks, which means i have logs with different number of lines

Example:

2017-01-03T10:41:35+0000
Device:            tps    MB_read/s    MB_wrtn/s    MB_read    MB_wrtn
sda               0,00         0,00         0,00          0          0
sdb               1,00         0,00         0,01          0          0

and

2017-01-03T10:37:43+0000
Device:            tps    MB_read/s    MB_wrtn/s    MB_read    MB_wrtn
sda              50,00         0,00         0,53          0          0

Im using the following logstash grok expression:

%{TIMESTAMP_ISO8601:time5}\n%{GREEDYDATA}\n%{WORD:device1}[\s]+%{fl:tps1:float}[\s]+%{fl:read1:float}[\s]+%{fl:write1:float}%{GREEDYDATA}(\n%{WORD:device2:float}[\s]+%{fl:tps2:float}[\s]+%{fl:read2:float}[\s]+%{fl:write2:float}%{GREEDYDATA})?

i put the 2nd line as optional but still it s not working properly, anyone have any idea how to do this?

Thank you in advance

magnusbaeck · January 3, 2017, 12:27pm

Optional how? I don't see anything that makes %{WORD:device2:float}[\s]+%{fl:tps2:float}[\s]+%{fl:read2:float}[\s]+%{fl:write2:float}% optional.

Pedro_Vilas-Boas · January 3, 2017, 12:58pm

Sorry, i forgot to put the ()?

(\n%{WORD:device2:float}[\s]+%{fl:tps2:float}[\s]+%{fl:read2:float}[\s]+%{fl:write2:float}%{GREEDYDATA})?

magnusbaeck · January 3, 2017, 1:54pm

Okay. How is it not working? Which kind of iostat output doesn't it work with?

Pedro_Vilas-Boas · January 3, 2017, 1:57pm

grok pattern:

(?m)%{TIMESTAMP_ISO8601:time5}%{GREEDYDATA:header}sda[\s]+%{fl:tps1:float}[\s]+%{fl:read1:float}[\s]+%{fl:write1:float}%{GREEDYDATA:linha1}\n(sdb[\s]+%{fl:tps2:float}[\s]+%{fl:read2:float}[\s]+%{fl:write2:float}%{GREEDYDATA:linha2})?

result in grokconstructor:

with this grok pattern it appends the sdb line to the previous greedydata from the line above

magnusbaeck · January 3, 2017, 2:02pm

Try not using GREEDYDATA then.

Pedro_Vilas-Boas · January 3, 2017, 2:03pm

So how do i match anything until the end of the line?

GREEDYDATA is working fine from header line to sda line

nellicus · January 3, 2017, 2:09pm

[^$]+

that's the fastest regex I can think of matching 1 or more any char except EOL

system · January 31, 2017, 2:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Solved] Use grok'd timestamp across multiple messages Logstash	5	1548	July 6, 2017
Parse log with different lines in logstash Logstash	2	319	December 13, 2019
GROK pattern for syslogs Logstash	4	7212	October 13, 2021
Having problems parsing data Logstash	4	305	February 18, 2021
Conditional processing in txt file Logstash	5	319	July 10, 2022

Iostat grok logstash

Related topics