Separate part of log in Logstash

Hello,

I have problem with config grok plugin. I'm beginner and I don't know yet how it all works.

This is part of logstash conf:

filter { grok{ match => { "message" => "%{TIMESTAMP_ISO8601:formattedDate}.* %{GREEDYDATA:tempMessage}"} } date{ match => ["formattedDate", "YYYY-MM-dd HH:mm:ss.SSS","ISO8601"] target=>"@timestamp" } }
And I have flat file which has below data "
2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking...

My output in LS is:

} "message": "2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking... " "@version": "1", "@timestamp": "2016-05-31T22:01:39.995Z", "path": "C:\\data\\sample.log", "host": "SDPL02864", "formattedDate": "2016-06-01 00:01:39.995", "tempMessage": "SINGLETON_CRUSHED|statusX] Locking..." }

And I don't know how can i separate this part SINGLETON_CRUSHED|statusX] Locking... into two parts like here:

} "message": "2016-06-01 00:00:09.971 [INFO][ sample.info.log][ sample.info.log] [ SINGLETON_CRUSHED|XXX] Locking... " "@version": "1", "@timestamp": "2016-05-31T22:01:39.995Z", "path": "C:\\data\\sample.log", "host": "SDPL02864", "formattedDate": "2016-06-01 00:01:39.995", "tempMessage": "SINGLETON_CRUSHED" <-------------------------- "tempMessage2": "statusX" <-------------------------- }

How can do this?

Thanks, in advance

You need to split the %{GREEDYDATA:tempMessage} up.
Head over to http://grokdebug.herokuapp.com/ to try a few things out :slight_smile:

Thank for you answer. I will try to do this, but it's problematics for me now :slight_smile: