cb2015
June 16, 2016, 10:49pm
1
Hi Everyone,
I am trying to parse a log which has two formats in it. They are:
Timestamp loglevel thread blahblahblahthread loglevel blahblahblah
I am currently trying to use a | and ()'s to cover for both cases, but Grok debugger dosen't seem to like this.
Here is the relevant part of my grok:
%{TIMESTAMP_ISO8601:TimeStamp} (%{LOGLEVEL:Level} %{BRACKETED:Thread})|(%{BRACKETED:Thread) %{LOGLEVEL:Level})
Here BRACKETED is just \[%{GREEDYDATA}\]
If anyone has any suggestions or comments about how I might be misusing Grok, or about how to make progress in this, I would greatly appreciate it.
As a side question, is it in general ok to use things like ?, |, () etc in a Grok pattern?
%{TIMESTAMP_ISO8601:TimeStamp} (%{LOGLEVEL:Level} %{BRACKETED:Thread})|(%{BRACKETED:Thread) %{LOGLEVEL:Level})
You probably want this, i.e. follow the pattern (option1|option2) rather than (option1)|(option2):
%{TIMESTAMP_ISO8601:TimeStamp} (%{LOGLEVEL:Level} %{BRACKETED:Thread}|%{BRACKETED:Thread) %{LOGLEVEL:Level})
As a side question, is it in general ok to use things like ?, |, () etc in a Grok pattern?
Yes. Grok is just regexp but with %{PATTERN} macros.
cb2015
June 20, 2016, 6:15pm
3
Oh, so it was just a mistake in my regex. That's a little embarrassing.
Thank you for taking the time to help me out though, everything is working great for me now!