Parsing log line sends information twice

AdamJade · February 17, 2020, 4:14pm

Hi there
Here is my log line

[2020/02/11-20:22:06.643] !! Nom de classe de la BS : WXWXWX.Mtr.GpePayerEncaisser.Execution.Batchs.BS_RequestExecution

I want to obtain a message like this
datetime : 2020/02/11-20:22:06.643
message : Nom de classe de la BS : WXWXWX.Mtr.GpePayerEncaisser.Execution.Batchs.BS_RequestExecution to push it in elasticsearch.
Here is my filter

filter {
grok {
match => { "message" => "(?<REQ_TIME>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME})?%{GREEDYDATA:message}" }
}
}
All i got is the line
"message":["[2020/02/11-20:22:06.659] !! Date & heure : mar. 11 févr. 2020 20:22:06" twice.
Thanks for any help

ahmed_charafouddine · February 17, 2020, 4:28pm

You can try this :

 filter {
        grok {
            match => {
                "message" => "\[%{GREEDYDATA:tmp}\]%{SPACE}!!%{GREEDYDATA:reste}"
            }
        }

        date {
            locale => "fr"
            match => ["tmp", "YYYY/MM/dd-HH:mm:ss.SSSSSS"]
            timezone => "Europe/Paris"
            target => "@timestamp"
            remove_field => "tmp" # Suppression du champs tmp.
        }
    }

Badger · February 17, 2020, 4:28pm

Your REQ_TIME pattern does not match the message. It does not match the square brackets and it separates date and time using space rather than a hyphen. You have made it optional (the trailing ?) so the entire value of [message] is consumed by %{GREEDYDATA:message}, which just adds a second copy of [message] to [message].

Do not make REQ_TIME optional but also anchor it to start of line using ^

AdamJade · February 18, 2020, 3:10pm

Hi Ahmed, thank's so much, it works.

AdamJade · February 18, 2020, 3:10pm

Right, thank's a lot Badger.

system · March 17, 2020, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.