Parse springboot logs using logstash

Hi Team,

I need to parse below logs using logstash. I used grok but it is giving parsingerror.

Grok-
filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} %{JAVACLASS:logclass} %{CUSTOM_TRACE_EXCEPTION:exception} %{CUSTOM_TRACE_CAUSED_BY:causedby} %{GREEDYDATA:content}"
}
}

Logs -
2021-07-21 18:31:24 [http-nio-2222-exec-1] DEBUG c.v.a.ultimatevault.web.TraceFilter - Returning status 200 for GET /ultimatevault/api/v1/heartbeat
2021-07-21 18:31:27 [http-nio-2222-exec-2] DEBUG c.v.a.ultimatevault.web.TraceFilter - Processing request: GET /ultimatevault/api/v1/heartbeat
2021-07-21 18:31:27 [http-nio-2222-exec-2] DEBUG c.v.a.ultimatevault.web.TraceFilter - Returning status 200 for GET /ultimatevault/api/v1/heartbeat
2021-07-21 18:31:34 [http-nio-2222-exec-3] DEBUG c.v.a.ultimatevault.web.TraceFilter - Processing request: GET /ultimatevault/api/v1/heartbeat
2021-07-21 18:31:34 [http-nio-2222-exec-3] DEBUG c.v.a.ultimatevault.web.TraceFilter - Returning status 200 for GET /ultimatevault/api/v1/heartbeat

Need to urgent reply.
Thanks in advance

Your pattern does not match this part of the log entry.

Can I get correct pattern please for above logs?

grok {
  match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} % 
   {SKYLOGLEVEL:loglevel} %{THREAD:thread} %{RMOTEIP:remoteipaddress} %
   {JAVACLASS:logclass} %{CUSTOM_TRACE_EXCEPTION:exception} %
   {CUSTOM_TRACE_CAUSED_BY:causedby} %{GREEDYDATA:details}"
}

This also not working. my logstash version is 7.13

%{TIMESTAMP_ISO8601:timestamp} \[%{PROG:process}\] %{LOGLEVEL:loglevel} %{JAVACLASS:logclass} - %{GREEDYDATA:content}

{
  "process": "http-nio-2222-exec-1",
  "loglevel": "DEBUG",
  "content": "Returning status 200 for GET /ultimatevault/api/v1/heartbeat",
  "timestamp": "2021-07-21 18:31:24",
  "logclass": "c.v.a.ultimatevault.web.TraceFilter"
}

Thanks for quick solution

Could you please share the grok filter syntax which you used? I am not getting timestamp which is in log. I am getting current timestamp

Use This.

Example

filter {
      date {
        match => [ "timestamp", "ISO8601" ]
      }
    }

You will just need to use the correct format

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.