Pattern matching Problem

abathula · July 8, 2015, 12:08pm

Is it correct pattern matching with below log. Actually i got _grokParseFaliure error is coming.

Log is: (Log4jNet) type log

2015-04-17 23:35:46,932 [10] DEBUG - Customer already exists...

conservation pattern in properties file:

<conversionPattern value="%date [%thread] %level %logger - %message%newline"/>

Pattern is:'

(?m)%{TIMESTAMP_ISO8601:time} [%{NUMBER:thread}] \ %{LOGLEVEL:loglevel} - %{GREEDYDATA:message}

magnusbaeck · July 8, 2015, 12:30pm

Square brackets are metacharacters so [%{NUMBER:thread}] needs to be \[%{NUMBER:thread}\].

abathula · July 8, 2015, 12:36pm

Thanks, @magnusbaeck can you check below log.

2015-04-17 23:35:46,932 [10] DEBUG NCR.XE.Component.MessageHandler.HistoryEventMessageProcessor - Customer_ID already exists...

<conversionPattern value="%date [%thread] %level %logger - %message%newline"/>

i am confusing after Loglevel (NCR.XE....)

magnusbaeck · July 8, 2015, 12:58pm

Ah, right. You're not capturing the logger either. Loggers should never have spaces in their names (they're almost always class names) so you can use %{NOTSPACE:logger} or perhaps %{JAVACLASS:logger}.

abathula · July 8, 2015, 1:39pm

Thanks @magnusbaeck it's working now but i am getting small problem. I am using the logstash configuration, like below

filter{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time} [%{NUMBER:thread}] %{LOGLEVEL:loglevel} %{JAVACLASS:class} -%{GREEDYDATA:message} " }
}

mutate {
add_field => {
"loglevel" => "%{LOGLEVEL:loglevel}"
}
}

}

I want only Loglevel (ERROR,DEBUG,WARN) but it's giving "%{LOGLEVEL:loglevel}" also

magnusbaeck · July 8, 2015, 1:49pm

Remove the mutate filter. You've already captured the loglevel field so there's no reason to add it again.

abathula · July 8, 2015, 4:21pm

Thanks @magnusbaeck ......Now it's working fine.