PARSE Logs having pip saperator

Elastic Stack Logstash
1

Hi I am having the log format as below.

2021-10-16 00:14:14|http-nio-2222-exec-1|DEBUG|c.v.a.ultimatevault.web.TraceFilter|01AD08F98FB24AB7A639383F44613AE4|Processing request:- id: 01AD08F98FB24AB7A639383F44613AE4 method: GET path: /|
2021-10-16 00:14:14|http-nio-2222-exec-1|DEBUG|c.v.a.ultimatevault.web.TraceFilter|01AD08F98FB24AB7A639383F44613AE4|Returning status:- id: 01AD08F98FB24AB7A639383F44613AE4 method: GET path: /|
2021-10-16 00:14:15|http-nio-2222-exec-9|DEBUG|c.v.a.ultimatevault.web.TraceFilter|8235965B298343CF80198C7E443A86DF|Processing request:- id: 8235965B298343CF80198C7E443A86DF method: GET path: /|

how to parse this using logstash. Need immediate responce

I am having below filter

filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}|([%{DATA:thread}])?|%{LOGLEVEL:level}%|%{JAVACLASS:class}.|%{DATA:method}|%{GREEDYDATA:loggedString}"
}
}
but its not working.

Thanks

2

Need help on immediate basis

How can we parse this?
Pls assist

Thanks in advance

3

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.

4

Yes Got it. Thanks @dadoonet

5

@stephenb last time we have processed same logs but now having pipe separator in it.

6

I would recommend using the dissect filter instead as it is generally faster for this type of pattern and often easier to configure and troubleshoot.

7

I would suggest using a dissect filter to take apart the | separated fields, then use a set of grok filters to chop up things like

Returning status:- id: 01AD08F98FB24AB7A639383F44613AE4 method: GET path: /

since that looks a lot like

Processing request:- id: 8235965B298343CF80198C7E443A86DF method: GET path: /
1 Like
8

grok {
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} ([%{DATA:thread}])? %{LOGLEVEL:level}%{SPACE}%{JAVACLASS:class}.%{DATA:method} - %{GREEDYDATA:loggedString}"
}

This was working fine before. when pipe saperator comes in log file then its failing. Can some one please correct me in above filter?

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.