Logstash grok pattern to filter a pretty long log line, add ignore between

Question

This is a log line

2015-10-05 12:04:19.199  INFO 4808 --- [metrics-logger-reporter-2-thread-1] com.example.metrics                      : type=TIMER, name=demo.ws.rest.controllers.ItemController.getAllItems, count=0, min=0.0, max=0.0, mean=0.0, stddev=0.0, median=0.0, p75=0.0, p95=0.0, p98=0.0, p99=0.0, p999=0.0, mean_rate=0.0, m1=0.0, m5=0.0, m15=0.0, rate_unit=events/second, duration_unit=milliseconds

I tried to learn grok and this is what i have so far

  "message" => "%{TIMESTAMP_ISO8601:time}%{SPACE}%{WORD}%{SPACE}%{NUMBER}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{WORD}%{NOTSPACE}%{WORD:metrictype}%{NOTSPACE}%{SPACE}%{WORD:vardspirms}%{DATA:pirms}%{JAVAFILE:javafilename}%{NOTSPACE:peec}%{SPACE}%{WORD}%{NOTSPACE}%{NUMBER:count}%{GREEDYDATA:debuginfo}"

And it looks so long, inefficient and bad practise. I would like to know, how can I add ignore inside grok. so i can ignore everything between INFO and type. Sorry for my english, Im not a native speaker.

If anyone can add a link that explains a bit more than https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html would be appreciated :) — GrugBrainedDeveloper, Oct 05 '15 at 10:25

score 1 · Accepted Answer · answered Oct 05 '15 at 11:29

1

I found a pretty handy solution.

kv {
    source => "debuginfo" # new field generated by grok before
    field_split => ", " # split fields by semicolon
    }

Seems to split everything in debuginfo pretty good.

answered Oct 05 '15 at 11:29

GrugBrainedDeveloper

21
6

Logstash grok pattern to filter a pretty long log line, add ignore between

1 Answers1