Logstash grok square brackets

Question

I'm trying to get some sort of grok pattern to work with the following logging format :

*Sun 07:05:18.372 INFO  [main] [userID] perf - 0ms - select x from y

The problem I'm having is the field in square brackets that I've annotated here as userID. Sometimes this field is populated and at other times it is not. If I use the grok pattern below :

*%{DAY:Day} %{TIME:Time} %{LOGLEVEL:Loglevel}\s+(\[%{WORD:module}\]\s+)(\[%{HOSTNAME:id}\]\s+)%{GREEDYDATA:logline}*

It parses correctly as long as there is some data in the UserID field. If that field is empty ( example below ) it doesn't match. Any ideas gratefully received!

*Sun 07:05:18.372 INFO  [main] [] perf - 0ms - select x from y

Check with grokDebugger like http://grokconstructor.appspot.com/do/match#result and also reference for matching pattern http://grokdebug.herokuapp.com/patterns# — Anilkumar Bathula, Jul 17 '15 at 09:24

score 9 · Answer 1 · answered Jul 16 '15 at 15:07

9

Did you try to escape the brackets with backward slash? As in \[%{WORD:module}\]

answered Jul 16 '15 at 15:07

Erez Rabih

15,562
3
47
64

score 0 · Answer 2 · answered Apr 23 '18 at 15:33

0

the question is not about the escaping of the [] a simple zero or more operator (?) should do it:

(?\[%{WORD:module}?]\s+)

(the second ?)

answered Apr 23 '18 at 15:33

Markus

1,887
18
23

Logstash grok square brackets

2 Answers2