Need help with grok expression logstash

Elastic Stack Logstash
1

Hello,
I am new to Logstash and Grok filters. My sample logs of glassfish server look like this:

  [2025-03-02T17:17:00.722133Z] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=693 _ThreadName=Thread-257] [levelValue: 800] [[
  251460488 [Thread-257] INFO  ma.xxx.xxxx.server.restproxy.RemoteRestProxyFactory  - searchAllCoordinates in service discovery for repository.upload]]

I have the following Grok expression, but the message isn't being filtered as expected:

\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:glassfish_version}\] \[%{LOGLEVEL:loglevel}\] \[\] \[%{DATA:logger}\] \[tid: _ThreadID=%{NUMBER:thread_id} _ThreadName=%{DATA:thread_name}\] \[levelValue: %{NUMBER:level_value}\] \[\[\n(?<message>(?s).*?)\]\].

Thanks in advance

2

it doesn't like the (?s) you've added after <message>

This works just fine for me:
\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:glassfish_version}\] \[%{LOGLEVEL:loglevel}\] \[\] \[%{DATA:logger}\] \[tid: _ThreadID=%{NUMBER:thread_id} _ThreadName=%{DATA:thread_name}\] \[levelValue: %{NUMBER:level_value}\] \[\[\n(?<message>.*?)\]\]

3

grok logstash
grok logstash1534×687 135 KB

Thanks, it doesn't work for me because there is a line break after [[

4

Plz, i want grok pattern for my case

5

those aren't lines, those are different samples

different lines in a log would have a \n between them

If your pipeline is producing two events from the message because it's on two lines in the log file then you need to setup a multi-line reader to ensure that both lines end up in the message field of the log.

your grok pattern already has a \n in it to handle this

1 Like