Logstash grok filter ignoring white space delimiter

elasticheart · January 24, 2017, 5:44am

Hi,

I am using Logstash GA 5.0.0 with Kafka. I am ading a custom parameter "logtype":"mylogs" in kafka input. I have a Kafka message like;

##SEVERE 05-Jan-2017 06:02:25.562 com.memberA.studentB.classCa startup CUSTOM_FOUR::printf():::AA##

and in Logstash grok, i use filter like;

match => { "message" => "^##(?<severity>(SEVERE|INFO|WARN)) (?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) %{GREEDYDATA:className} %{GREEDYDATA:msg2}" }

but my Logstash output is like below;

{
	"severity":"SEVERE",
	"logtype":"mylogs",
	"msg2":"CUSTOM_FOUR::printf():::AA##",
	"@timestamp":"2017-01-24T05:32:30.226Z",
	"@version":"1",
	"className":"com.memberA.studentB.classCa startup",
	"message":"##SEVERE 05-Jan-2017 06:02:25.562 com.memberA.studentB.classCa startup CUSTOM_FOUR::printf():::AA##",
	"timestamp":"05-Jan-2017 06:02:25.562"
}

The tag className is suppose to be like com.memberA.studentB.classCa, but it slike com.memberA.studentB.classCa startup now. The term startup is coming along with it. How can I fix this?

Thanks.

Christian_Dahlqvist · January 24, 2017, 5:53am

As you just want the className pattern to capture up until the first space, try replacing GREEDYDATA:className with NOTSPACE:className.

elasticheart · January 24, 2017, 5:57am

It works! Thank you so much @Christian_Dahlqvist

system · February 21, 2017, 5:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.