0

Some context:

I want to parse the following log statement using grok in logstash 

07:51:45,729 TRACE [com.company.Class] (ajp-/1.2.3.4:8080-251) USERID called path: /url and took: 1000 ms

I am now using the following syntax to parse the complete message:

%{DATA:time}\s%{DATA:level}\s%{DATA:class}\s%{DATA:thread}\s%{DATA:userid}\s.*path:\s%{DATA:url}\s.*:\s%{NUMBER:duration:int}\sms

Which gives me all the properties that i have defined.

My question:

I want to parse this part (ajp-/1.2.3.4:8080-251) into a 'thread' property and an ip property. The result needs to be:

  • thread: (ajp-/1.2.3.4:8080-251)
  • ip: 1.2.3.4

How can i do this?

Thanks

cremersstijn
  • 2,375
  • 4
  • 28
  • 41

1 Answers1

1

Just add a second grok filter after your working one. Do not put this in your existing grok filter because it will finish after the first match.

Example:

grok {
    match => [ 'thread', '%{IP:ip}' ]
}

This obtains your previous field thread => "(ajp-/1.2.3.4:8080-251)" and adds a new field ip => "1.2.3.4"

Apart from that, I would recommend you to be more specific with your pattern. You used DATA everytime which is kind of imprecise. Start with something like this:

%{TIME:timestamp} %{WORD:method} \[%{JAVACLASS:class}\] \(%{DATA:thread}\) %{NUMBER:userid} %{DATA}%{URIPATH:uri}%{DATA}
hurb
  • 2,177
  • 3
  • 18
  • 32