I'm using logstash 6.6.0 and I would like to convert this value: "[34mems_1 |[0m" for this: "ems".
I look forward to hearing from you
Hi Angie,
not knowing what possible other values look like, I would say something like
"^\[34m%{DATA:myvalue}_1"
would work.
You might want to use the Grok Debugger in Kibana to test.
Thx for quick answer.
Actually, the problem is more complicated. Below is my messages, which is very irregular:
[32;1mems_1 |[0m 2019-05-23 08:09:16.764 DEBUG 41 --- [ main] e.m.event.brokercep.cep.CepService : CepService.addAggregatorFunction(): function=EVALAGG, aggregator-factory-class=.cep.CepEvalAggregatorFactory
and
[34mdlmswebservice_1 |[0m 2019-05-23 08:09:10.444 DEBUG 41 --- [ main] org.hibernate.type.EnumType : Using ORDINAL-based conversion for Enum DataSourceType
I use grok debugger
grok{
match => {"message"=> "%{GREEDYDATA:logger-name} %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log-level} %{GREEDYDATA:info}" }
overwrite => ["message"]
}
and it looks quite okey, beside first value.
Do you have any advice for me in this case?
Thanks in advance
Your pattern already extracts the first part into logger-name, which is good to know.
The surrounding characters are basically from Bash Coloring, which you would need to remove, first.
You can either include it in your grok pattern like I posted before, or you could use a mutate to remove them, like in this sample: https://gist.github.com/pauloconnor/4707710
I'm not sure whether the Escape-Character would need to be included, but this StackOverflow question has some input, possibly: https://stackoverflow.com/questions/33440366/grok-pattern-to-parse-the-esc-key
Adapting the gist I linked to your output:
mutate {
gsub => ["logger-name", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]", ""]
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.