Hello there,
I want to ingest a log with grok patterns in kibana.
The log time format is slightly different from ready-made drafts as belove.
03/24 21:56:55.300 INFO Security.....
Time Format -> dd/MM hh:mm:ss.SSS
I want to match it with DATA pattern, and i am trying to make a stop point the other field (Log_Type) which can be INFO,WARN,ERROR
However, i have to also make them(INFO or WARN or ERROR) a field, and i don't know how to do it with regex.
Anyone can help me to fix it ?
Thanks beforehand.
tsullivan
March 26, 2021, 10:40pm
2
You could define a regular expression to match the Log_Type:
%{DATA:time} (?<log-level>INFO|WARN|ERROR)
But you shouldn't use a custom regex for this. Take a look at the Grok documentation: Grok filter plugin | Logstash Reference [7.12] | Elastic
There is a syntax to Grok expressions, and has about 120 built-in patterns defined here: logstash-patterns-core/patterns at master · logstash-plugins/logstash-patterns-core · GitHub
You could use the LOGLEVEL pattern to match your Log_Type data:
%{DATA:timestamp} %{LOGLEVEL:level}
Hi @tsullivan ,
%{DATA:time} is not exactly what i trying to do. Because, there is one space between date and time. time field will be '03/24'. However, i want to make it all '03/24 21:56.55.300'.
I figured it out by writing custom regex as you mentioned. Just wanna now if it is possible without regex.
Regards,
tsullivan
March 29, 2021, 4:26pm
4
Hi, you can use "custom patterns" to create a new pattern by composing built-in patterns. Grok filter plugin | Logstash Reference [7.12] | Elastic
A custom pattern that can match 03/24 21:56:55.300 as a timestamp would look like:
ALIDRSN_DATE %{MONTHNUM}/%{MONTHDAY} %{TIME}
In the Grok Pattern, you use the custom pattern as:
%{ALIDRSN_DATE:date} %{LOGLEVEL:level} %{GREEDYDATA:msg}
The resulting structured data would look like:
{
"date": "03/24 21:56:55.300",
"msg": "Security.....",
"level": "INFO"
}
system
April 26, 2021, 4:27pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
