Parse log file with two formats in it

Badger · February 3, 2019, 6:29pm

This should give you an idea of how to do it. It drops comments and lines that are just whitespace. Then it parses key=value and stashes it in a class variable. Then it parses anything with multiple commas as a csv. That leaves you with odds and ends to handle, such as

The RTC is running 0 hours, 0 mins and 2 secs behind real time.
The flash last updated 1/3/2018 at 2:04
The last .tab file placed 1/3/2018 at 14:01

If you need to get data out of those lines use grok. Make sure you anchor your patterns using ^.

    if [message] =~ /^#/ {
        drop {}
    } else if [message] =~ /^\s*$/ {
        drop {}
    } else if [message] =~ /^[A-Za-z0-9]+=/ {
        ruby {
            init => '
                @@metadata = {}
            '
            code => '
                msg = event.get("message")
                matches = msg.scan(/^([A-Za-z0-9]+)=(.*)/)
                m = matches[0]
                @@metadata[m[0]] = m[1]
            '
        }
        drop {}
    } else if [message] =~ /,.*,.*,/ {
        csv {
            autodetect_column_names => true
        }
        ruby {
            code => '
                event.set("metadata", @@metadata)
            '
        }
    }

Topic		Replies	Views
Parsing file containing sectional metadata and data Logstash	6	147	March 27, 2024
Parsing multiple log format in same file Logstash	2	433	June 3, 2019
Parsing composite log format only with text Logstash	2	240	June 19, 2019
Differentiate between sections within a single log file Logstash	8	457	March 16, 2019
Merge data and metadata csv file in logstash Logstash	3	785	February 28, 2022

Parse log file with two formats in it

Related topics