Logstash grok second row is parsed incorrectly

databeata · July 5, 2018, 10:58pm

The first row is parsed correctly. The second row is parsed incorrectly. What is wrong with my grok pattern?

These are the two rows.

2018-07-05 17:57:11,373 ERROR Failed
2018-07-05 17:57:11,373 ERROR [Timer-Driven Process Thread-6] o.apache.nifi.processors.standard.PutSQL PutSQL[id=ae5119af-3bea-1cba-8309-dc5ffd3f199b] Failed

sudo /path/logstash -e 'input { file { path => "/path/test.log" start_position => beginning sincedb_path => "/dev/null" } } filter { grok { match => { "message" => "%{GREEDYDATA:log_date} %{GREEDYDATA:log_time} %{EMAILLOCALPART:log_level} %{GREEDYDATA:log_text}" } } }'

{
"path" => "/path/test.log",
"@timestamp" => 2018-07-05T22:33:53.185Z,
"log_date" => "2018-07-05",
"@version" => "1",
"host" => "host",
"log_level" => "ERROR",
"message" => "2018-07-05 17:57:11,373 ERROR Failed",
"log_time" => "17:57:11,373",
"log_text" => "Failed"
}
{
"path" => "/path/test.log",
"@timestamp" => 2018-07-05T22:33:53.189Z,
"log_date" => "2018-07-05 17:57:11,373 ERROR [Timer-Driven Process",
"@version" => "1",
"host" => "host",
"log_level" => "o.apache.nifi.processors.standard.PutSQL",
"message" => "2018-07-05 17:57:11,373 ERROR [Timer-Driven Process Thread-6] o.apache.nifi.processors.standard.PutSQL PutSQL[id=ae5119af-3bea-1cba-8309-dc5ffd3f199b] Failed",
"log_time" => "Thread-6]",
"log_text" => "PutSQL[id=ae5119af-3bea-1cba-8309-dc5ffd3f199b] Failed"
}

Christian_Dahlqvist · July 6, 2018, 5:36am

GREEDYDATA tries to match as much as possible. As the message in the second line has more parts separated by space than grok fields the first expression grabs as much as possible and then just releases to the other fields what is needed to make the pattern match. You should always try to use as specific patterns as possible and use of one or more GREEDYDATA or DATA patterns in the same expression can cause this type of problems. I would recommend replacing the first three fields with NOTSPACE to see if that helps.

This blog post contains a guide to efficient use of grok, and is well worth reading.

databeata · July 6, 2018, 4:09pm

How do I handle second line in this example?

line 1:
2018-07-05 17:57:11,373 ERROR [Timer-Driven Process Thread-6] o.apache.nifi.processors.standard.PutSQL

line 2:
java.sql.SQLException: [JDBC Driver]String index out of range: 3

sudo /path/logstash -e 'input { file { path => "/path/test.log" start_position => beginning sincedb_path => "/dev/null" } } filter { grok { match => { "message" => "%{NOTSPACE:log_date} %{NOTSPACE:log_time} %{NOTSPACE:log_level} %{GREEDYDATA:log_text}" } } }'

{
"path" => "/path/test.log",
"@timestamp" => 2018-07-06T15:27:18.449Z,
"log_date" => "2018-07-05",
"@version" => "1",
"host" => "host",
"log_level" => "ERROR",
"message" => "2018-07-05 17:57:11,373 ERROR [Timer-Driven Process Thread-6] o.apache.nifi.processors.standard.PutSQL",
"log_time" => "17:57:11,373",
"log_text" => "[Timer-Driven Process Thread-6] o.apache.nifi.processors.standard.PutSQL"
}
{
"path" => "/path/test.log",
"@timestamp" => 2018-07-06T15:27:18.452Z,
"log_date" => "java.sql.SQLException:",
"@version" => "1",
"host" => "host",
"log_level" => "Driver]String",
"message" => "java.sql.SQLException: [JDBC Driver]String index out of range: 3",
"log_time" => "[JDBC",
"log_text" => "index out of range: 3"
}

system · August 3, 2018, 4:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.