Logstash Grok filter code

VidyaKumar · March 23, 2018, 11:06pm

Hi all, Need your help with grok: How do I code for the following line?

6a 00001020 m 20420 ltel2drv 18/03/14 13:12:17.422057 CC0: DlschInfo: UE=16, SFNSF=7616, cell=PCC, msgType,nRB=000004, HID=0, HARQ_12=10, nRTX_12=00, MCS_12=0600, TBS_12=00490000, padBytes_12=00000000, Q=0

I am able to code till CC0: and after that I am able to take in as greedydata:
match => ["message", "%{WORD:msgtype}%{SPACE}%{WORD:code1}%{SPACE}%{WORD:module}%{SPACE}%{WORD:code2}%{SPACE}%{WORD:type1}%{SPACE}%{DATESTAMP:timestamp}%{SPACE}\(%{WORD:method}\:%{SPACE}%{NUMBER:code3}\)%{SPACE}%{GREEDYDATA:msg}"]

But after CC0, I need it to be separate fields and not greedydata.
Can someone help me on this?
Thanks!

yaauie · March 24, 2018, 7:13am

It's very hard to ask someone to define a generalised pattern for something and also only provide a single example.

When I paste your single message and pattern into the Grok Constructor, I see that after the timestamp field, your pattern expects a space, followed by a literal open paren ((), but the log message does not have an open paren at this position.

Once you get the GREEDYDATA to capture only that which is after DlschInfo:, you can likely use the kv filter to capture the key/value pairs in the rest.

Topic		Replies	Views
Grok filter with spaces in field Logstash	5	5283	August 2, 2017
Grok filter issue with data on Logstah config Logstash	4	345	June 7, 2019
Separate part of log in Logstash Logstash	3	657	July 6, 2017
Filter logstash with grok not work Beats filebeat	6	481	January 21, 2021
Logstash Grok problem Logstash	1	370	January 2, 2020

Logstash Grok filter code

Related topics