3

I have these three log lines in the same log file:

INFO [2015-08-27 18:46:14,279] ({qtp243745864-44} NotebookServer.java[onMessage]:101) - RECEIVE << RUN_PARAGRAPH
INFO [2015-08-27 18:46:14,322] ({qtp243745864-44} NotebookServer.java[broadcast]:253) - SEND >> NOTE
INFO [2015-08-27 18:46:16,809] ({pool-1-thread-2} RemoteInterpreter.java[init]:144) - Create remote interpreter org.apache.zeppelin.markdown.Markdown

I want to pars them using grok but failing to get the right fields: 1) how to pars the data within the brackets? 2) the last part of the log line is either (CMD direction cmd_data) or (cmd info) in the example:

cmd=Receive or SEND
cmd_direction=<< or >>
cmd_data=RUN_PARAGRAPH or NOTE

But the last line is CMD info which does not correspond to the same format.

I am trying to find the right rule that will match the first and second but not the third. end result should be or (cmd + cmd_data) or (cmd_info) fields Any help?

baudsp
  • 4,076
  • 1
  • 17
  • 35
Eran Witkon
  • 4,042
  • 4
  • 19
  • 20

2 Answers2

12

Logstash has conditionals in the config file, so you can conditionally match things.

For example:

if ([mesage] =~ /(RECEIVE|SEND)/) {
   grok {
      // do your grok here
   }
} else if ([message] =~ /RemoteInterpreter/) {
   grok {
      // do some other grok here
   }
}

If you need help with what those groks should be, try using the grok debugger

Alcanzar
  • 16,985
  • 6
  • 42
  • 59
0

I had a similar problem ...

It helped me:

if ("SEND" in [message]) {
   grok {
      // do your grok here
   }
}
vvator
  • 168
  • 2
  • 11