NOT MAtching filter

Abhishek_3003 · July 24, 2018, 11:51am

gc log:
2018-07-17T23:51:35.687+0530: 2315.919: [GC (Allocation Failure) 2018-07-17T23:51:35.687+0530: 2315.919: [ParNew: 12759500K->677810K(13212096K), 0.2544955 secs] 20424219K->8668890K(38377920K), 0.2549210 secs] [Times: user=1.44 sys=0.13, real=0.25 secs]

grok:

%{TIMESTAMP_ISO8601:timestamp}: %{NUMBER:GC started at sec.}: [%{WORD:GC TYPE} (%{GREEDYDATA:STATUS}) %{TIMESTAMP_ISO8601:timestamp}: %{NUMBER:GC started at sec.}: [%{WORD:PROCESS}: %{WORD:BEFORE GC SPACE}->%{WORD:AFTER GC SPACE}(%{WORD:TOTAL SPACE}), %{NUMBER:time to process} %{WORD}] %{WORD:HEAP SPACE BEFPRE GC RAN}->%{WORD:HEAP SPACE AFTER GC RAN}(%{WORD:TOTAL HEAP SPACE}), %{NUMBER:total time GC event} %{WORD}] [%{WORD}: %{WORD}=%{NUMBER:user_time} %{WORD}=%{NUMBER:system_time}, %{WORD}=%{NUMBER:real_time} %{WORD}]

AFTER MATCHING ALL FIELDS ITS SHOWING NOT MATCHED

CAN SOMEONE HELP ME WITH THIS PLZ?

Badger · July 24, 2018, 12:05pm

You need to escape all the parentheses and brackets. Once you do that it will match.

    grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}: %{NUMBER:GC started at sec.}: \[%{WORD:GC TYPE} \(%{GREEDYDATA:STATUS}\) %{TIMESTAMP_ISO8601:timestamp}: %{NUMBER:GC started at sec.}: \[%{WORD:PROCESS}: %{WORD:BEFORE GC SPACE}->%{WORD:AFTER GC SPACE}\(%{WORD:TOTAL SPACE}\), %{NUMBER:time to process} %{WORD}\] %{WORD:HEAP SPACE BEFPRE GC RAN}->%{WORD:HEAP SPACE AFTER GC RAN}\(%{WORD:TOTAL HEAP SPACE}\), %{NUMBER:total time GC event} %{WORD}\] \[%{WORD}: %{WORD}=%{NUMBER:user_time} %{WORD}=%{NUMBER:system_time}, %{WORD}=%{NUMBER:real_time} %{WORD}\]" } }

You'll probably want to replace spaces with underscores in your field names.

Abhishek_3003 · July 25, 2018, 5:03am

thank you

system · August 22, 2018, 5:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.