0

I want to ask your help in parsing my logs in custom format. I tried to use http://grokdebug.herokuapp.com/ for discover my log format, but unfortunately I didn't succeed. my log has the next format: 

#AdressHost#TypeLogs|OrganizationName|user@mail.com|CallMethod|ExecutionTimeOnDB|ExecutionTimeOnAppServer|Date Time

for example:

#mac.frozm.com#CallInfo|Jonsens|jack.lellow@jonsens.com|GetTotalsInfo|19|3|2014-05-11 07:49:10

I try to use the following pattern:

#%{URIHOST}#CallInfo|Jonsens|%{USER:auth}@%{URIPROTO}|GetTotalsInfo|%{NUMBER:duration}|0|%{DATESTAMP} %{TIME}

but Logstash keeps throwing "_grokparsefailure" Can you help me or might suggest another way for parsing log in the Logstash tool

mimin0
  • 871
  • 8
  • 9

1 Answers1

1

This part: 

GetTotalsInfo|19|3|

does not seem to match up with this part of your pattern:

GetTotalsInfo|%{NUMBER:duration}|0|

as you specify a 0 in the pattern where in your example you have a 3.

Here's a general piece of advice when building grok patterns. Do small pieces of the pattern at a time, and check to see if they work first before building up a larger pattern. You can use this to debug patterns that are giving you trouble, taking each individual piece and testing them.

For example, just start out with a pattern like this and check to see if it works:

"^#%{URIHOST}"

(the ^ is a regex anchor that guarantees there are no preceding characters) Build up from there.

I hope this helped!

DBPriGuy
  • 98
  • 6