Discuss the Elastic Stack

Parsing log using grok format

Elastic Stack Logstash

openRepo November 27, 2015, 4:27pm 1

Hello,

I am new to logstash and trying to parse below log using grok format.

2015-11-27 11:51:28,103 INFO org.xyz.abc.ClassName @ anonymous:session_id=20B27B5F10A828221F1C3D8B578267E9:ip_addr=xx.xxx.xx.xxx:view_collection:collection_id=xxxxx

So far i have build first three field using
%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+(?(?:[a-zA-Z0-9-]+.)*[A-Za-z0-9$]+)\s

which gives me

timestamp 2015-11-27·11:51:28,103
loglevel INFO
logger org.xyz.abc.ClassName

however, i want to parse other field like

user anonymous
session 20B27B5F10A828221F1C3D8B578267E9
ip xx.xxx.xx.xxx
action view_collection
collectionId xxxxx

i tried several regular expression command at http://grokconstructor.appspot.com/do/match to achieve above but none working with grok.

Any help greatly appreciated

Thanks

Christian_Dahlqvist (Christian Dahlqvist) November 27, 2015, 5:22pm 2

The content after the '@' sign seems to be a property list. Catch all this into a single variable using grok and then use the KV filter to parse this.

1 Like

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.