Parse docker logs with logstash

DevOpsRoot · July 13, 2017, 9:18am

Hello all,

I want to parse logs lines like this one :

2017-07-12T12:50:37.944779015Z [2017-07-12T12:50:37,944][INFO ][logstash.pipeline ] Pipeline main started

How can i do that ? with grok ? wich plug-in better match with my type of log ?

[ DETAIL OF THE LOGSTASH.CONF FILE ]*******************

input {
syslog {
port => "5000"
type => "docker"
}
}

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}

magnusbaeck · July 13, 2017, 9:28am

I don't think there's a pre-cooked grok pattern for this kind of log. You may have to construct a custom one. The grok constructor web site can be quite helpful with that.

DevOpsRoot · July 13, 2017, 9:33am

Thanks for your response !! I try with http://grokconstructor.appspot.com !
But grok plug-in accept regular expresion ? if not how can i use regular expression to parse the lines ?

magnusbaeck · July 13, 2017, 9:38am

Quoting the docs:

Grok sits on top of regular expressions, so any regular expressions are valid in grok as well. The regular expression library is Oniguruma, and you can see the full supported regexp syntax on the Oniguruma site.

DevOpsRoot · July 13, 2017, 9:43am

My bad ... Thanks for all

system · August 10, 2017, 9:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" Logstash docker	3	1214	May 2, 2021
Help with a grok filter for Docker Logstash	2	1179	November 14, 2017
How to parse the logs from docker to logstash Logstash	2	442	March 6, 2018
Parsing IRC Logs Logstash docker	3	185	April 30, 2024
Parse logs Logstash	12	3262	July 6, 2017

Parse docker logs with logstash

Related topics