Issue with custom parsing in grok filter

jprakash402 · March 14, 2019, 2:22pm

Hi All,

We have a custom log file, which we need to parse to extract some required fields out of it. We have setup Logstash to parse the data and push it to Elasticsearch.

Sample log file.

{"level":"info","message":"API Request:stopInstance, user:user1@gmail.com, InstanceID:i-033daf56fhjb4102c, Message: User initiated EC2 STOP event","timestamp":"2019-03-13T15:54:09.313Z"}

We wanted to extract the fields as below.

level : info
EventName : stopInstance
UserID : user1@gmail.com
InstanceId : i-033daf56fhjb4102c

We tried to use custom regex patterns in grok filter but it didn't work out. We are getting grok parse error. Below is the test logstash config file.

input {
   stdin{}
}
filter {
    grok {
      match => ["message", '(?<EventName>(?<=API:).*?(?= ::))',"message", '(?<level>(?<=el\":\").*?(?=\",\")),"message", '(?<UserID>(?<=user:).*?(?=, Instance))',"message", '(?<InstanceID>(?<=eID).*?(?=, Message))'
        ]
    }
}
output {
   file {
      path => "./test"
   }
}

Could you guys help us here please?

jprakash402 · April 10, 2019, 10:18am

Can someone help us on this please

Badger · April 10, 2019, 11:08am

I would suggest

    json { source => "message" }
    kv { field_split => ", " value_split => ":" }

you can then rename the field with a mutate filter.

system · May 8, 2019, 11:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter is not working (custom pattern) Logstash	6	1667	May 10, 2017
Logstash custom pattern not working Logstash	6	441	October 14, 2019
Problem with Grok filter with my logfile Logstash	2	600	July 6, 2017
Passing custom regex inside grok filter Logstash	2	1336	February 19, 2021
Grok filter request for json/custom pattern Logstash	1	174	March 9, 2023

Issue with custom parsing in grok filter

Sample log file.

Related Topics