Metatrader, how parse this?

Elastic Stack Logstash
1

Hello! Iam new there, and have some problems with log.
Main problem - log have not only same lines, so i just cant grok it.

Here is an example:

EL 0 4 23:36:56.041 Glfx mt5 live_capital_m datafeed process start completed (127.0.0.1:16389)
PS 0 3 23:36:57.168 127.0.0.1 connected to 127.0.0.1:16389
OL 0 3 23:36:57.178 Glfx mt5 live_capital_m '4': connected to '127.0.0.1:16389'
QO 0 2 23:37:01.314 Monitor connections: 8, cpu: 1%, process cpu: 0%, threads: 718, process threads: 50, handles: 16605, process handles: 1568, disk queue: 0

So what can i do? I can just pull full message, but it makes no sense. Help me pls, great thanks!

2

What do you want to get out of those messages?

3

something like - [name] [id] [level] [time] [ip] [message]

4

Only one of those events seems to have the [ip] component, so you can use a grok filter where that field is optional:

grok { match => { "message" => "^%{WORD:name} %{NUMBER:id:int} %{NUMBER:level:int} (?<time>[0-9:\.]+)( %{IP:ip})?%{GREEDYDATA:msg}" } }
5

thanks you! works great, can you explain one thing? for what we need
specify data type "NUMBER:level:INT"? And what if some field ll be empty? Ty again!

6

Converting the numbers to "int" is optional. It is sometimes useful so that you can aggregate them in elasticsearch. For example, in web server logs converting the number of bytes sent in response to a request to int makes sense, since that allows you to calculate things like the average response size, or the total bandwidth used. Converting the port number used to int is not helpful, since such aggregations generally make no sense.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.