Logstash Grok

Elk_huh · November 25, 2020, 3:49pm

I need to start a grok at <190>
I dont care about anything before that . What is the way to do this ?

<13>Nov 25 15:36:31 servername.abc.com LOGSTASH[-]: <190>Nov 25 07:36:31

Wolfram_Haussig · November 26, 2020, 5:43am

Hello Brian,

Yo can use the grok debugger in Kibanas Dev Tools to test it: Grok patterns do not necessarily need to start at the beginning of the message. Something like this will work:
<190>%{MONTH:month} %{MONTHDAY:day} %{TIME:time}

Best regards
Wolfram

Elitlogik · November 26, 2020, 1:06pm

Are you 100% sure <190> will be the PRI header for 100% of the log events? Never <189>?

Elk_huh · December 1, 2020, 3:51pm

i ended up doing a %{GREEDYDATA:notneeded} %{SYSLOG5424PRI}

to start at <190>

system · December 29, 2020, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure but grok debugger looks good Logstash	18	3005	August 19, 2021
Simple question about timestamp in logs Kibana	4	219	April 9, 2023
Problem with logstash Logstash	2	223	July 24, 2018
Grok pattern for date Logstash	6	2004	June 13, 2019
Grok pattern construction Logstash	3	222	May 4, 2022

Logstash Grok

Related topics