Multiple logs pattern in single grok

Elastic Stack Logstash
1

Hello Sir

i have a single log file which have different diffrent pattern i just want to create a single grok which will work on all pattern please help me in this condation what should i do .
#log1
2018-06-14 13:55:59.059 : INFO : (50280 | DIRECTOR) : (IS | PC_IS_SVC_QA02_UNICODE) : node01_tclasetlq002 : VAR_27028 : Use override value [rf_data_conversion@tiffany.com] for user-defined workflow/worklet variable:[$$wf_email].
#log2
2018-06-14 13:55:59.059 : INFO : (50280 | DIRECTOR) : (IS | PC_IS_SVC_QA02_UNICODE) : node01_tclasetlq002 : VAR_27027 : Use default value [] for mapping variable:[$$wf_name].
#log3
2018-06-14 13:55:59.059 : INFO : (50280 | DIRECTOR) : (IS | PC_IS_SVC_QA02_UNICODE) : node01_tclasetlq002 : TM_6685 : Workflow: [wf_JDE_World_to_E1_RFConversion_F4201_F4211_to_F5847001_F5847003] Run Instance Name: [TAIWAN] Run Id: [301803]

Grok
%{DATESTAMP:time} : %{WORD:LOGLEVEL} : (%{DATA:d1}) : (%{DATA:d2}) : %{WORD:d3} : %{WORD:d4} : %{DATA:D5}[(?[a-zA-Z0-9_.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:.(?:[0-9A-Za-z][0-‌9A-Za-z-]{0,62}))*)]%{DATA:D6}[%{GREEDYDATA:D7}]

This pattern work on #log1 please guide me ...

2

I would approach that using dissect before doing any grok.

dissect { mapping => { "message" => "%{ts} %{+ts} : %{loglevel} : %{d1} : %{d2} : %{d3} : %{restOfLine}" } }
3

you mean inside the logstash filter, i need to call this mapping. here My problem i need to extract some fileds from rest of line, if there is any email id than i need to extact that field as well.can you help me, how can i extract filed from rest of line.

4

Identifying an email address is a really hard problem. For simple cases something like

grok { match =>  { "restOfLine" => "\[%{EMAILADDRESS:email}\]" } }

would work. But that's not going work with an email address like "me@foo.example.com"@bar.example.com (i.e routing embedded in the address) and certainly not with international email addresses such as अजय@डाटा.भारत

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.