Hi,
I have a log with bellow pattern:
2018-09-05 11:50:56,152 - INFO - 103.8.115.242 - username1 - com.example.test.service.testService - [ajp-nio-8009-exec-9] - /testServiceCall/default/testPage [page=default, component=testComponent, service=testService, method=testMethod] - @OcService.refreshTree
2018-09-05 11:50:56,152 - INFO - 103.8.115.242 - username2 - com.example.test.service.testService - [ajp-nio-8009-exec-9] - /testServiceCall/default/testPage [page=default, component=testComponent, service=testService, method=testMethod] - @OcService.refreshTree
I want to extract the username1 and username2 with the help of Grok and add the usernames into username TAG for each log.
Any help is appreciated on this topic.
Thanks,
Checkout the following link to find out what grok patterns are pre-available
USERNAME [a-zA-Z0-9._-]+
USER %{USERNAME}
EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
INT (?:[+-]?(?:[0-9]+))
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
NUMBER (?:%{BASE10NUM})
BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))
BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b
POSINT \b(?:[1-9][0-9]*)\b
NONNEGINT \b(?:[0-9]+)\b
WORD \b\w+\b
NOTSPACE \S+
SPACE \s*
DATA .*?
GREEDYDATA .*
QUOTEDSTRING (?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
# URN, allowing use of RFC 2141 section 2.3 reserved characters
show original
and the following link to test your grok pattern
http://grokconstructor.appspot.com/do/match#result
Try out the following grok for your usecase
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} - %{WORD} - %{IP} - %{WORD:username} - %{GREEDYDATA:source}" }
}
Thank you @abhiroyg . This helped a lot.
system
October 10, 2018, 2:35pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
