Logstash grok pattern - optional fields

txisme · December 13, 2016, 2:23pm

Hey,

im using Logstash 2.4 and i need to process log files so i am using grok patterns. I am having trouble with optional fields, i have several logs wich can have or not have a specific field, in this case "correlationID"

Logs example:

2016-12-13T11:08:07,370 DEBUG  [main|tc.im.pm.PMModuleController] [PM] Loaded.
2016-12-13T11:08:10,194 INFO  ce75b152-7c2d-4489-83f2-cb0cda7ded9a [im-trip konsumer|tc.controller.api.ControllerHandler] State change is for myself. Checking if I need to do anything...

Grok pattern used:

(?m)%{TIMESTAMP_ISO8601:time}\s%{WORD:loglevel}\s\s(%{corID:correlationID})?\s%{GREEDYDATA:value}

grok pattern for correlationID used:

corID ([^\s]+)

What happens is that in the first log, where no correlationID exists, this grok pattern is putting "[main|tc.im.pm.PMModuleController]" in the correlationID field.

Anyone knows how to do this so it puts the correlationID empty in the first log?

txisme · December 13, 2016, 2:39pm

Dont know why but a lot of times i organize my thoughts to post my doubts here, things get much clearer

i managed to solve this by changing the corID grok pattern to ([^\s[]]+)

Thanks

system · January 10, 2017, 2:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.