Logstash-grok-filtering problem

abu.sayeed · October 23, 2017, 11:18am

my Example logs:

2017-10-23 16:59:21,784 : [INFO ] http-nio-8080-exec-1597 [c.n.s.c.AbstractSmsClient:567] SENT => smsStatus : [TELCO_SENT] | clientSmsId/gatewaySmsId : [13383383/GP:DAC:GET] | cell : [1712277206] | nazdaqSmsId : [10010337] | smsStatusMsg : [null]

filter {
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:delivery_time}", "%{DATA:Loglevel}", "%{DATA:thread}", "[%{DATA:Client_pid}", "%{DATA:Status}", "%{DATA:Operator}", "%{DATA:cell}", "%{DATA:nazdaqSmsId}", "%{GREEDYDATA:log}" ]
}
}

JSON file:
{
"_index": "filebeat-2017.10.23",
"_type": "logs",
"id": "AV9I4xsLflvzLo5n6OG",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2017-10-23T10:59:23.008Z",
"host": "vNTDACLSWEBP001",
"source": "/home/local/user/nsms/logs/Logs/nsms-server.log",
"message": "2017-10-23 16:59:21,784 : [INFO ] http-nio-8080-exec-1597 [c.n.s.c.AbstractSmsClient:567] SENT => smsStatus : [TELCO_SENT] | clientSmsId/gatewaySmsId : [13383383/GP:DAC:GET] | cell : [1712277206] | nazdaqSmsId : [10010337] | smsStatusMsg : [null]"

But I need the following field
Status: TELCO_SENT
Operator: GP:DAC:GET
Cell : 1712277206
Loglevel: INFO
delivery_time: 2017-10-23 16:59:21,784

What is my wrong?
help me anybody please.
Thanks

magnusbaeck · October 23, 2017, 1:37pm

Multiple problems:

I don't think SYSLOGTIMESTAMP is the right pattern to for your timestamp.
Use a single grok expression instead of your list of expressions, e.g. like this: ^%{SYSLOGTIMESTAMP:delivery_time} : \[%{DATA:Loglevel}\s*\] %{DATA:thread} \[%{DATA:Client_pid}\] ...
Don't use so many DATA patterns. In your case I think you'll find NOTSPACE to be a useful replacement.

system · November 20, 2017, 1:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.