Problem with my grok-need assistance

Nithani25 · September 27, 2018, 9:54am

Hi Team,
I am working on some simillar to weblogic trace logs and it has following inputs in combined .

2018-09-27 02:36:11,474 DEBUG [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] SegmentedUrlRewriteFilter getUrlRewriter() getUrlRewriter: Cache fresh, using cached object
2018-09-27 02:36:11,502 WARN [pool-5-thread-413] ProductUtils getConfigNodeByName() No additional config found for: gw-ca

and my grok looks some think below.

%{TIMESTAMP_ISO8601:occuredtimestamp}\s%{DATA:trace}\s%{GREEDYDATA:threadinfo}]\s%{DATA:loggerclass}\s%{DATA:Method}\s%{GREEDYDATA:Logmessage}

but facing grok parse failure in my codec output.

magnusbaeck · September 27, 2018, 10:20am

Don't use more than one DATA or GREEDYDATA in a single grok expression. Use more exact patterns and build your expression step by step.

Nithani25 · September 27, 2018, 10:40am

Agreed, can i find help to grok the "threadinfo" field in particular, since it has two different values.

[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)']

[pool-5-thread-413]

magnusbaeck · September 27, 2018, 11:12am

Untested:

\[(?<threadinfo>(\[[^\]]+\])?[^\]]+)\]

system · October 25, 2018, 11:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.