Logstash:grok:Create a single structure from multiple pattern

nehag · August 4, 2023, 6:15am

I have logs coming in the following pattern:

================================================================================================== 
CHECK 1 : Below are the missing Components in the patch 
================================================================================================== 
Component abc.core.min missing in xyz.xml
Component abc.bali.ewt missing in pqr.xml
Component abc.bali.jewt missing in xyz.xml
================================================================================================== 
CHECK 2 : Below are the missing DOs in the patch 
================================================================================================== 
Files missing under component abc.assist.acf : emca.sbs
Files missing under component abc.assist.acf : rconfig.sbs
==================================================================================================

I need to structure this unstructured data in something like the following:

{
check number: 1
check name: Below are the missing Components in the patch
    {
     componentName:
	 fileName:
	 }
	 {
     component name:
	 missing in file:
	 }
}
check number:2
check name: Below are the missing DOs in the patch
	{
	componentName:
	fileName:
    }
	{
	componentName:
	fileName:
    }
}

I am trying 2 grok in the filter as follows which works in isolation but combination does not work. Also how can the result be mutated to get the output structure I am looking for ?

Component %{DATA:componentName}(missing in)\s%{GREEDYDATA:missingInFileName}
%{WORD:check} %{INT:checkNum} : %{GREEDYDATA:checkName}"

TIA

system · September 1, 2023, 6:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.