Writing grok filter for my usecase

I have the following line in log file,

[2017-07-07 11:41:30.794][DEBUG][Hello]

for the above log, i have written the grok filter as shown below,
match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][%{WORD:machineName}]"}

But i have another scenario where my last part of the log is little changed as below,

[2017-07-07 11:41:30.794][DEBUG][C:0:O:1]

For this i am not able to write the proper grok filter. I tried the below,

match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][%{HOSTNAME:machineName}]"}

HOSTNAME is not working. Can you please suggest which keyword to use.

Try (?<machineName>[^\]]+) instead of %{HOSTNAME:machineName}; one or more characters of any kind except closing square bracket.

@magnusbaeck ,

This is my exact filter ..
match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][%{HOSTNAME:machineName}][%{JAVACLASS:className}][%{JAVAMETHOD:methodName}][%{WORD:commandID}][%{GREEDYDATA:myMessage}]"}

Can you please tell me what to modify here so that HOSTNAME:machineName accepts C:0:O:1.

If my input is C:0:O:1, then HOSTNAME:machineName is not able to parse it.
But if my input is C:0:O.1, then HOSTNAME:machineName is able to parse it.

Is it because there is : already present in HOSTNAME:machineName.. how to solve it. Please help me here

@magnusbaeck,

I used the below filter and it worked,
match => {"message" =>"[%{TIMESTAMP_ISO8601:TimeStamp}][%{LOGLEVEL:logLevel}][(?[0-9A-Z:]{3,15})]"}

Thanks a lot for your input..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.