Logstash GROK for single letter

i have the below log please help me to parse it as I am not able to go beyond, date and time

[Fri Aug 05 11:32:10 2016] [D] [17819(139987138922464)] checking [/libs/granite/csrf/token.json]

What pattern do you have so far?
Have you tried http://grokdebug.herokuapp.com/?

I have tried many but somehow the Date time do not match the existing Syntax to put it in a single column. Also I am able to break the dates but I am not able to pick [D] as there is no pattern to pick single letter.

GREEDYDATA picks everything.

\[%{WORD:single_letter}\]
\[%{NOTSPACE:single_letter}\]

Either should pick single letter for you if the letter is always at the position.

Can you please give me the grok of the whole log

[Fri Aug 05 11:32:10 2016] [D] [17819(139987138922464)] checking [/libs/granite/csrf/token.json]

I am again stuck at 17819(139987138922464) as it need to go tow two columns and also th edate is not going into one column

Repeating what others already have requested: Please show us what you have so far. It's less work for us to modify an existing pattern than writing one from scratch. It's in your best interest to make our lives as simple as possible.

[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}] [%{WORD:single_letter}] [%{INT:number1}(%{INT:number2}) %{GREEDYDATA:message}

[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}] [%{WORD:single_letter}] [%{INT:number1}(%{INT:number2})]%{GREEDYDATA}

this is the updated one. What I see here is that Date does not go into one column in proper date time format

You must escape some characters such as ( ) [ ].

The following should parse everything after the timestamp.

\[%{WORD:letter}\] \[%{INT:int1}\(%{INT:int2}\)\] checking \[%{UNIXPATH:path}\]

Use \ to escape those chars as I did above, your timestamp regex should work. I'm on n a tablet now, can't do much.

Thanks anhlqnAnh that has been a good help, eventhough i have been able to parse, the only place i am stuck is with the date and time not going to single column

Create a custom timestamp pattern first, then use that pattern to parse the whole string. Search for timestamp grok pattern to see examples.

MY_TIMESTAMP %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}

\[%{MY_TIMESTAMP:timestamp}\] \[%{WORD:letter}\] \[%{INT:int1}\(%{INT:int2}\)\] checking \[%{UNIXPATH:path}\]

Or use named captures;
(?<timestamp>\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\]) \[%{WORD:single_letter}\]\ \[%{INT:number1}\(%{INT:number2}\)\]%{GREEDYDATA}

1 Like