Issue in parsing the data in logstash

viki · June 14, 2017, 3:34pm

Hi,

Facing parsing error with spaces,

Input :
2017-06-13 04:02:18,933 INFO [SIRAHULOG] (http-10.80.6.102-16013-25) Thread ID:221:AppSessionFilter:doPost:user session:Everything matched

We are grep "INFO" (it has two spaces between "INFO" and "[SIRAHULOG]" ) using below

grok {
match => {"message" => [
"^%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:loglevel} [%{DATA:class}] %{GREEDYDATA:message}" ]
}

Output :
.
.
"loglevel" => "INFO",
.
.

But other than INFO like ERROR or FATAL logs we have only one space left between "ERROR" and "[SIRAHULOG]" . So , parsing fails

Example input :

2017-06-14 03:46:09,132 FATAL [SIRAHULOG] (WorkManager(2)-33) Thread ID:147:Error getting Entity Manager for firm 105471 Name : persistence-units/apptivodb3: firm id: 105471

magnusbaeck · June 15, 2017, 6:04am

Adjust your expression to allow for one or more spaces between the tokens:

^%{TIMESTAMP_ISO8601:time} +%{LOGLEVEL:loglevel} +[%{DATA:class}] +%{GREEDYDATA:message}

system · July 13, 2017, 6:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.