Log Grok does not work

aroldev · August 31, 2018, 6:29am

Hello elastic community,

I want to parse some log lines and send it to my elasticsearch engine.

My Log looks like this:

2018-08-27T11:56:35:537 | SERVERNAME | 19140 | processname | 27 | 127.0.0.1 | | 0 | Verbose | **** SomeProcessInformation ->GenerateXmlNode(XmlDocument xmldoc, DataRow row) | Leaving. Time needed: 0 ms

I want to grok that lines with

match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\s\W\s{PROG:hostname}\s\W\s%{POSINT:process_id:int}\s\W\s%{PROG:process_name}\s\W\s%{POSINT:thread_id:int}\s\W\s%{IPORHOST:client_ip}\s\W\s{POSINT:ramUsed:int}\s\W\s%{POSINT:event_id:int}\s\W\s%{WORD:log_level}\s\W\sLeaving. Time needed: %{POSINT:time_used:int}"

When I look into my kibana, the grok does not work. I can only read the plain message.

Can sb. tell my what I made wrong here ?

magnusbaeck · August 31, 2018, 5:10pm

Focus on the part just after "127.0.0.1". There appears to be an empty column afterwards that you're trying to parse into ramUsed.

system · September 28, 2018, 5:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.