Logstash grok pattern: Unexpected output

rahulnama · May 29, 2018, 6:05am

Hello,

This is the sample log pattern I'm parsing. I'm using grok but it's not exactly as what I expected

180528 8:46:26 2 Query SELECT 1

To parse this log my grok pattern is

%{NUMBER:date} %{NOTSPACE:time}%{INT:pid}%{GREEDYDATA:message}

and output for this in grok debugger is

{
  "date": [
    [
      "180528"
    ]
  ],
  "time": [
    [
      "8:46:2"
    ]
  ],
  "pid": [
    [
      "6"
    ]
  ],
  "message": [
    [
      " 2 Query\tSELECT 1"
    ]
  ]
}

If you observe in the output, pid is being extracted from time and actual pid which is 2 is being merged in the message. Not sure what went wrong here

Please help, Thanks for your time

magnusbaeck · May 29, 2018, 9:10am

You need spaces between your NOTSPACE, INT, and GREEDYDATA patterns.

rahulnama · May 29, 2018, 10:31am

@magnusbaeck

Still I'm not able to make it

Any suggestions?

magnusbaeck · May 29, 2018, 11:34am

There are two spaces between the timestamp and "2 Query". You can use \s+ to match one or more whitespace characters.

rahulnama · May 29, 2018, 11:48am

It worked

Thankyou much @magnusbaeck

system · June 26, 2018, 11:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Parsing for multiple patterns in single log file Logstash	3	292	May 20, 2022
Grok pattern with space Logstash	2	933	August 4, 2017
Help needed in grok Logstash	5	2636	February 6, 2020
Grok Pattern not matching in Logstash, but matches in Grok Debuggger Logstash	9	450	September 11, 2019
Logstash Grok pattern match issue Logstash	4	432	September 24, 2021

Logstash grok pattern: Unexpected output

Related Topics