Issue with custom parsing in grok filter

jprakash402 · March 14, 2019, 2:22pm

Hi All,

We have a custom log file, which we need to parse to extract some required fields out of it. We have setup Logstash to parse the data and push it to Elasticsearch.

Sample log file.

{"level":"info","message":"API Request:stopInstance, user:user1@gmail.com, InstanceID:i-033daf56fhjb4102c, Message: User initiated EC2 STOP event","timestamp":"2019-03-13T15:54:09.313Z"}

We wanted to extract the fields as below.

level : info
EventName : stopInstance
UserID : user1@gmail.com
InstanceId : i-033daf56fhjb4102c

We tried to use custom regex patterns in grok filter but it didn't work out. We are getting grok parse error. Below is the test logstash config file.

input {
   stdin{}
}
filter {
    grok {
      match => ["message", '(?<EventName>(?<=API:).*?(?= ::))',"message", '(?<level>(?<=el\":\").*?(?=\",\")),"message", '(?<UserID>(?<=user:).*?(?=, Instance))',"message", '(?<InstanceID>(?<=eID).*?(?=, Message))'
        ]
    }
}
output {
   file {
      path => "./test"
   }
}

Could you guys help us here please?

jprakash402 · April 10, 2019, 10:18am

Can someone help us on this please

Badger · April 10, 2019, 11:08am

I would suggest

    json { source => "message" }
    kv { field_split => ", " value_split => ":" }

you can then rename the field with a mutate filter.

system · May 8, 2019, 11:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't Get Custom Grok Filter To Work Logstash	2	326	August 1, 2018
Trouble Parsing Unstructured Logs With Custom Grok Patterns Logstash	2	436	August 2, 2018
Custom pattern problems in the grok filter Logstash	2	2542	July 6, 2017
Custom grok pattern issue Logstash	5	475	June 5, 2018
Grok filter is not working (custom pattern) Logstash	6	1667	May 10, 2017

Issue with custom parsing in grok filter

Sample log file.

Related topics