Logstash grok pattern: Unexpected output

rahulnama · May 29, 2018, 6:05am

Hello,

This is the sample log pattern I'm parsing. I'm using grok but it's not exactly as what I expected

180528 8:46:26 2 Query SELECT 1

To parse this log my grok pattern is

%{NUMBER:date} %{NOTSPACE:time}%{INT:pid}%{GREEDYDATA:message}

and output for this in grok debugger is

{
  "date": [
    [
      "180528"
    ]
  ],
  "time": [
    [
      "8:46:2"
    ]
  ],
  "pid": [
    [
      "6"
    ]
  ],
  "message": [
    [
      " 2 Query\tSELECT 1"
    ]
  ]
}

If you observe in the output, pid is being extracted from time and actual pid which is 2 is being merged in the message. Not sure what went wrong here

Please help, Thanks for your time

magnusbaeck · May 29, 2018, 9:10am

You need spaces between your NOTSPACE, INT, and GREEDYDATA patterns.

rahulnama · May 29, 2018, 10:31am

@magnusbaeck

Still I'm not able to make it

Any suggestions?

magnusbaeck · May 29, 2018, 11:34am

There are two spaces between the timestamp and "2 Query". You can use \s+ to match one or more whitespace characters.

rahulnama · May 29, 2018, 11:48am

It worked

Thankyou much @magnusbaeck

system · June 26, 2018, 11:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Parsing for multiple patterns in single log file Logstash	3	293	May 20, 2022
Help with particular grok pattern (SOLVED) Logstash	3	750	October 19, 2017
Grok pattern with space Logstash	2	936	August 4, 2017
Help needed in grok Logstash	5	2646	February 6, 2020
Logstash Grok pattern match issue Logstash	4	432	September 24, 2021

Logstash grok pattern: Unexpected output

Related topics