grok help for logstash

Question

My logs look as such

00009139 2015-03-03 00:00:20.142  5254 11607 "HTTP First Line: GET /?main&legacy HTTP/1.1"

I tried using grok debugger to get this information formatted with no success. Is there any way to get this format using grok? The quoted string would be the message

So I used the following formatting simply by using the grok patterns page.

%{NUMBER:Sequence} %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? %{NUMBER:Process}%{NUMBER:Process2}%{WORD:Message}

Yes, of course there is a way. Start the conversation by showing us the pattern you built that was the "closest". — Alain Collins, Mar 03 '15 at 19:43

score 0 · Answer 1 · answered May 12 '15 at 15:34

This is the closest I could get with the current info.

%{INT}%{SPACE}%{TIMESTAMP_ISO8601}%{SPACE}%{INT:pid1}%{SPACE}%{INT:pid2}%{SPACE}%{GREEDYDATA:message}

With the above grok pattern, this is what the grokdebugger "catches":

{
  "INT": [
    [
      "00009139"
    ]
  ],
  "SPACE": [
    [
      " ",
      "  ",
      " ",
      " "
    ]
  ],
  "TIMESTAMP_ISO8601": [
    [
      "2015-03-03 00:00:20.142"
    ]
  ],
  "YEAR": [
    [
      "2015"
    ]
  ],
  "MONTHNUM": [
    [
      "03"
    ]
  ],
  "MONTHDAY": [
    [
      "03"
    ]
  ],
  "HOUR": [
    [
      "00",
      null
    ]
  ],
  "MINUTE": [
    [
      "00",
      null
    ]
  ],
  "SECOND": [
    [
      "20.142"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ],
  "pid1": [
    [
      "5254"
    ]
  ],
  "pid2": [
    [
      "11607"
    ]
  ],
  "message": [
    [
      ""HTTP First Line: GET /?main&legacy HTTP/1.1""
    ]
  ]
}

Hope I was of some help.

score 0 · Answer 2 · edited Apr 13 '16 at 18:13

0

Try to replace %{WORD:Message} at the end of your grok with %{QS:message}.

hope this helps :)

edited Apr 13 '16 at 18:13

bknights

14,408
2
18
31

answered Apr 13 '16 at 17:52

RamenCoder

358
1
2
16

grok help for logstash

2 Answers2