Parse docker logs with logstash

Hello all,

I want to parse logs lines like this one :

2017-07-12T12:50:37.944779015Z [2017-07-12T12:50:37,944][INFO ][logstash.pipeline ] Pipeline main started

How can i do that ? with grok ? wich plug-in better match with my type of log ?

[ DETAIL OF THE LOGSTASH.CONF FILE ]*******************

input {
syslog {
port => "5000"
type => "docker"
}
}

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}


I don't think there's a pre-cooked grok pattern for this kind of log. You may have to construct a custom one. The grok constructor web site can be quite helpful with that.

Thanks for your response !! I try with http://grokconstructor.appspot.com !
But grok plug-in accept regular expresion ? if not how can i use regular expression to parse the lines ?

Quoting the docs:

Grok sits on top of regular expressions, so any regular expressions are valid in grok as well. The regular expression library is Oniguruma, and you can see the full supported regexp syntax on the Oniguruma site.

1 Like

My bad ... Thanks for all

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.