Hi,
I am trying to parse following logs:
<0> 2019-11-08 16:26:03.420 10.5.4.2 [logsource="" logid="50"] SystemTrace TID:1 Tracer started.
<1> 2019-11-08 16:26:03.418 10.5.4.2 [logsource="" logid="50"] SystemTrace TID:1 Operations1.GetErrorCode| --> Start
<2> 2019-11-08 16:26:03.434 10.5.4.2 [logsource="" logid="40"] FunctionTrace TID:1 Operations2.Get| --> Start
<5> 2019-11-08 16:26:03.747 10.5.4.2 [logsource="" logid="30"] Information TID:1 Test Created08/11/2019 16:26:03
<7> 2019-11-08 16:26:04.012 10.5.4.2 [logsource="" logid="50"] SystemTrace TID:8 LoginPortal Logout 1.2.4.5 Session has been expired
I wrote two Grok pattern, testing them individually and they working fine. However, when I combines the Grok patterns to parse the above log it does not map some of the data in correct column. Here is the Grok pattern:
(<%{INT:SerialNo}>\t%{TIMESTAMP_ISO8601:timestamp}\t%{IP:ipaddress}\t\[.*?=%{QUOTEDSTRING:logsource} .*?=%{QUOTEDSTRING:logid}\]\t%{WORD:Category}\t.*?:%{INT:TID}\t%{WORD:ControllerName}.%{WORD:function}[|] [-]+[>] %{WORD:Position}\s*%{GREEDYDATA:Duration})|(<%{INT:SerialNo}>\t%{TIMESTAMP_ISO8601:timestamp}\t%{IP:ipaddress}\t\[.*?=%{QUOTEDSTRING:logsource} .*?=%{QUOTEDSTRING:logid}\]\t%{WORD:Category}\t.*?:%{INT:TID}\t%{GREEDYDATA:message})
Kindly assist me.