Logstash grok

igormarqs · January 28, 2021, 12:40pm

hey all;

I have this log line:

TID: [] [] [2021-01-28 12:25:50,298] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected {org.wso2.carbon.databridge.core.DataBridge}

and i use this grok:

TID: \[] \[] \[%{TIMESTAMP_ISO8601:time}]%{SPACE}%{LOGLEVEL:logLevel} {%{JAVACLASS:class}} -%{SPACE}%{GREEDYDATA:logMessage}

the result is:

{
  "logLevel": "INFO",
  "logMessage": "user admin connected {org.wso2.carbon.databridge.core.DataBridge}",
  "time": "2021-01-28 12:25:50,298",
  "class": "org.wso2.carbon.databridge.core.DataBridge"
}

but sometimes that line log can be like this:

TID: [-1234] [] [2021-01-28 12:25:50,298] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected {org.wso2.carbon.databridge.core.DataBridge}

how can i ignore the 2 first [ ] and what they have inside? to me the only important thing is since the timestamp.

i appreciate any help.

Badger · January 28, 2021, 5:23pm

Change your pattern to "TID: \[%{DATA}] \[] ... which will match zero or more characters inside the square brackets.

system · February 25, 2021, 5:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.