Need grok pattern for logstash

zaeemmasood · May 27, 2022, 9:47pm

Hi All,

I need to use grok filter to parse the following log pattern:

[2022-05-24T02:15:20.979+0000][info][gc             ] GC(187) Pause Full (G1 Evacuation Pause) 2559M->1698M(2560M) 724.899ms

The idea is to capture the following from the log:

Date/Time
2559M->1698M showing drop in the heap due to garbage collection
2560M Total heap
724.899ms Time take for GC

I get stumped at the first pattern for date/ timestamp and following does not seem to work when I put in the debugger:

%{TIMESTAMP_ISO8601:time}

Please guide what filters should I use for the entire log message?

Thanks

sudhagar_ramesh · May 29, 2022, 5:22am

Hello @zaeemmasood

Hope this grok pattern would help you

\[%{TIMESTAMP_ISO8601:date_time}\]\[%{WORD:loglevel}\]\[%{WORD:gc}\s*\]\s+%{GREEDYDATA:message} %{GREEDYDATA:drop_heap}\(%{DATA:total_gc}\) %{GREEDYDATA:time_taken}

Attached screenshot for your reference.

Keep Posted!!! Thanks !!!

zaeemmasood · May 30, 2022, 9:27pm

Thanks. That solves my issue. I need to display the fields individually in Kibana. This does not seem to work:

        filter {
                if [type] == "tv_gclog_analysis"  {

                        grok {
                                match => { "message" => "\[%{TIMESTAMP_ISO8601:createdTime}\]\[%{WORD:logLevel}\]+%{GREEDYDATA:message} %{GREEDYDATA:heapDrop}\(%{DATA:maxHeap:int}\) %{GREEDYDATA:timeTaken:int}" }
                                        }

                               }
                        }

Do I need to somehow split the message as follows:

        if [type] == "tv_gclog_analysis"  {
                
				   filter {
					grok {
						match => { "message" => \[%{TIMESTAMP_ISO8601:createdTime}\]\[%{WORD:logLevel}\]+%{GREEDYDATA:message} %{GREEDYDATA:heapDrop}\(%{DATA:maxHeap:int}\) %{GREEDYDATA:timeTaken:int} }
					}
					
				mutate {
                        split => ["message",  ]
                        add_field =>{
                           "createdTime" => "%{[message][0]}"
                           "logLevel" => "%{[message][1]}"
                           "message" => "%{[message][2]}"
                           "heapDrop" => "%{[message][3]}"
			               "maxHeap" => "%{[message][4]}"
			               "time_taken" => "%{[message][5]}"

                       }
					}
				}

Please guide

sudhagar_ramesh · May 31, 2022, 1:52am

Hello @zaeemmasood

this grok pattern should be inside single quotes like the below . if still not working please a raise a new case to assist you further.

 filter {
					grok {
						match => { "message" => '\[%{TIMESTAMP_ISO8601:createdTime}\]\[%{WORD:logLevel}\]+%{GREEDYDATA:message} %{GREEDYDATA:heapDrop}\(%{DATA:maxHeap:int}\) %{GREEDYDATA:timeTaken:int}' }
					}

zaeemmasood · May 31, 2022, 4:03pm

Thanks for your help!

Please let me know if there is a central place where all the possible grok patterns are mentioned?

sudhagar_ramesh · June 1, 2022, 2:15am

Hello @zaeemmasood

In this below elastic article you would find a git repo where it contains mostly all the patterns.

zaeemmasood · June 1, 2022, 6:09pm

Thanks!

system · June 29, 2022, 6:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with Grok Pattern for SAS log Logstash	3	1260	April 20, 2017
Timestamp pattern not working for logstash filtering Logstash	2	234	November 2, 2022
Need Help for grok pattern for logstash-2.1.0 Logstash	2	572	July 6, 2017
Grok pattern working fine in grok debugger but the same pattern is not working when running with logstash Logstash	14	2717	February 1, 2018
Grok pattern for this specific log Logstash	6	830	March 3, 2022

Need grok pattern for logstash

Related topics