Trying to parse when LOGLEVEL is ERROR

Hello,

Im trying to parse only LOGLEVEL field using grok but it doesn't work.

My logstash.log comes from :

[2020-02-20T15:55:46,198][ERROR][logstash.inputs.jdbc ] Java::ComSybaseJdbc3Jdbc::SybSQLException: Difference of two datetime fields caused overflow at runtime.:
[2020-02-20T16:27:36,610][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x1b10a501 run>"}

and the grock filter

input {
   file {
		path => "/logs/logstash-plain-duplicate.log"        
   }
}

#############
#############
filter {
 grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} \s+[%{JAVACLASS:class}] %{GREEDYDATA:message} " }
    }
	 mutate{
		 add_field =>{
		 "lvl" => "%{LOGLEVEL}"
		 }
	 }
}
#############
#############

output {
		stdout { codec => rubydebug }
}

And here is the result :

{
      "@version" => "1",
          "path" => "/logs/logstash-plain-duplicate.log",
          "host" => "SERV100",
    "@timestamp" => 2020-02-21T13:38:31.138Z,
          "tags" => [
        [0] "_grokparsefailure"
    ],
           "lvl" => "%{LOGLEVEL}",
       "message" => "[2020-02-20T15:55:46,198][ERROR][logstash.inputs.jdbc ] Java::ComSybaseJdbc3Jdbc::SybSQLException: Difference of two datetime fields caused overflow at runtime.:"
}

Thank you

You grok pattern does not match the message. You need to include all the square brackets etc. in the pattern, and they will need to be escaped.

Thank you Badger for your reply.

I used https://grokdebug.herokuapp.com/ to compare with grok pattern but its not working

Anyone have the GROK example for this ?

The solution :

[%{TIMESTAMP_ISO8601:timestamp}][%{DATA:loglevel}%{SPACE}][%{JAVACLASS:class}%{SPACE}] %{GREEDYDATA:message}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.