Match and extract last part of log in pipe delimited log

Pranav1 · June 20, 2017, 11:13am

The number of fields is varaible and not fixed.
My goal is to extract just the Timestamp and Log message and add it as a new key value pair in the document as shown below-

{
"Timestamp": "2017-06-15T09:39:02.619Z",
"message": "Log message"
}

I tried using grok filter. I can get the timestamp using its 'match' option.

grok {
match => { "message" => "%{TIMESTAMP_ISO8601:Timestamp}" }
}

But I am unable to match the log message as the fields in between are variable.

Is it possible to do this using grok filter or can any other filter help?

guyboertje · June 20, 2017, 11:42am

Grok should be fine.
After the %{TIMESTAMP_ISO8601:Timestamp}\| allow for the first pipe, then allow for a variable number of ([^|]+\|)+ then the message %{GREEDYDATA:message}

See http://grokconstructor.appspot.com/do/match
I used this Grok pattern

%{TIMESTAMP_ISO8601:Timestamp}\|(?:[^|]+\|)+%{GREEDYDATA:msg}

I used these lines

2017-06-15T09:39:02.619Z|A|B|C|D|E|this is a long message
2017-06-15T09:39:04.619Z|A|B|E|this is a second long message

I got this result

2017-06-15T09:39:02.619Z|A|B|C|D|E|this is a long message
MATCHED
Timestamp 2017-06-15T09:39:02.619Z
msg       this·is·a·long·message
2017-06-15T09:39:04.619Z|A|B|E|this is a second long message
MATCHED
Timestamp 2017-06-15T09:39:04.619Z
msg       this·is·a·second·long·message

Pranav1 · June 21, 2017, 2:54pm

Thanks a lot Guy. It helped me.

system · July 19, 2017, 2:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.