HI all
Im new to the ELK stack and i have face fallowing problem when i try to create a pattern for a custom log file
This is the custom log line
INFO [01/Jul/2017:03:38:38 +0530] REQUEST CarrierName Balance Check 15240273
This is the filter i wrote
filter {
grok {
match => { "message" => "%{LOGLEVEL:Info} \[%{TIMESTAMP_ISO8601:time}\] %{URIPROTO:type} %{WORD:carrier} %{NOTSPACE:task} %{NUMBER:id}"}
}
}
But this return "no mathes " on grok debugger
Any suggestions ???
You are using the pattern NOTSPACE and "Balance Check" obviously has a space in it.
Thnk you for your reply and any suggestion on how to capture that
WORD
NOTSPACE
SPACE
DATA
GREEDYDATAhi , Thank you for your feedback and what can i use for that time stamp
\[%{HTTPDATE:timestamp}\]
hi , Thank you for your feedback and what can i use for that time stamp
\[%{HTTPDATE:timestamp}\]
Why don't you try it out?
Regarding how to match "Balance Check", the most efficient would be to match two words with (?<fieldname>\w+ \w+), but is it always two words there? Or do you want to match everything up to the number at the end? In the latter case DATA or GREEDYDATA would be adequate choices.
Anyway, you should be more diligent with the use of ^ and $ anchors. The loglevel should always match at the beginning of the string so your expression should begin with ^%{LOGLEVEL:Info} (I think the Info field name is a misnomer, but that's another story) and it should end with %{NUMBER:id}$ since the number must always be at the end of the string (right?).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.