Problem in grok pattern


(Ibrahim Sharaf El Den) #1

Hello, I have this snippet of a log-file

2017-01-01 07:53:44 [connectionpool.py] DEBUG: "POST /api/v1/crawledproducts/merchant/ariika/new_crawl_iteration/ HTTP/1.1" 200 None
2017-01-01 07:53:44 [monitor_utils.py] INFO: Crawled iteration for merchant ariika started
2017-01-01 07:53:44 [utils.py] INFO: UpdateCrawlIteration._start_crawl_iteration function took 0.127 s
2017-01-01 07:53:44 [telnet.py] DEBUG: Telnet console listening on 127.0.0.1:33357
2017-01-01 07:53:44 [middlewares.py] INFO: [kipp] Using user agent (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17)

I wrote a grok filter to extract the merchant name (ariika) from the second line, I tested it on grok debugger it was working, but it didn't extract in logstash

grok{
	match => [ "message", "(?<merchant_name>(?<=Crawled iteration for merchant ).*(?= started))" ]
}

Can you suggest a better pattern?


(Magnus B├Ąck) #2

The lookbehind assertion (or whatever it is) seems like an overcomplication. Why not this?

Crawled iteration for merchant %{WORD:merchant} started

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.