Metatrader, how parse this?

immo · October 2, 2019, 3:01pm

Hello! Iam new there, and have some problems with log.
Main problem - log have not only same lines, so i just cant grok it.

Here is an example:

EL 0 4 23:36:56.041 Glfx mt5 live_capital_m datafeed process start completed (127.0.0.1:16389)
PS 0 3 23:36:57.168 127.0.0.1 connected to 127.0.0.1:16389
OL 0 3 23:36:57.178 Glfx mt5 live_capital_m '4': connected to '127.0.0.1:16389'
QO 0 2 23:37:01.314 Monitor connections: 8, cpu: 1%, process cpu: 0%, threads: 718, process threads: 50, handles: 16605, process handles: 1568, disk queue: 0

So what can i do? I can just pull full message, but it makes no sense. Help me pls, great thanks!

Badger · October 2, 2019, 3:09pm

What do you want to get out of those messages?

immo · October 2, 2019, 3:14pm

something like - [name] [id] [level] [time] [ip] [message]

Badger · October 2, 2019, 3:42pm

Only one of those events seems to have the [ip] component, so you can use a grok filter where that field is optional:

grok { match => { "message" => "^%{WORD:name} %{NUMBER:id:int} %{NUMBER:level:int} (?<time>[0-9:\.]+)( %{IP:ip})?%{GREEDYDATA:msg}" } }

immo · October 3, 2019, 6:38am

thanks you! works great, can you explain one thing? for what we need
specify data type "NUMBER:level:INT"? And what if some field ll be empty? Ty again!

Badger · October 3, 2019, 1:27pm

Converting the numbers to "int" is optional. It is sometimes useful so that you can aggregate them in elasticsearch. For example, in web server logs converting the number of bytes sent in response to a request to int makes sense, since that allows you to calculate things like the average response size, or the total bandwidth used. Converting the port number used to int is not helpful, since such aggregations generally make no sense.

system · October 31, 2019, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.