What is the GROK pattern for this log?

Question

Can anyone please tell me the GROK pattern for this log

I am new to Logstash. Any help is appreciated

: "ppsweb1 [ERROR] [JJN01234313887b4319ad0536bf6324j34h5469624340M] [913h56a5-e359-4a75-be9a-fae60d1a5ecb] 2016-07-28 13:14:58.848 [http-nio-8080-exec-4] PaymentAction - Net amount 149644"

I tried the standard log patterns, i.e. COMBINEDAPACHELOG , SYSLOGBASE — Shamik Mukherjee, Jul 29 '16 at 07:51

score 0 · Answer 1 · answered Jul 29 '16 at 08:08

I tried the following:

%{WORD:field1} \[%{LOGLEVEL:field2}\] \[%{NOTSPACE:field3}\] \[%{NOTSPACE:field4}\] %{TIMESTAMP_ISO8601:timestamp} \[%{NOTSPACE:field5}\] %{WORD:field6} - %{GREEDYDATA:field7} %{NUMBER:filed8}

And I got the output as:

{
  "field1": [
    [
      "ppsweb1"
    ]
  ],
  "field2": [
    [
      "ERROR"
    ]
  ],
  "field3": [
    [
      "JJN01234313887b4319ad0536bf6324j34h5469624340M"
    ]
  ],
  "field4": [
    [
      "913h56a5-e359-4a75-be9a-fae60d1a5ecb"
    ]
  ],
  "timestamp": [
    [
      "2016-07-28 13:14:58.848"
    ]
  ],
  "field5": [
    [
      "http-nio-8080-exec-4"
    ]
  ],
  "field6": [
    [
      "PaymentAction"
    ]
  ],
  "field7": [
    [
      "Net amount"
    ]
  ],
  "filed8": [
    [
      "149644"
    ]
  ]
}

You can change the names of fields as you want. You haven't mentioned anything about expected output in your question. So this is just to give you a basic idea. For further modifications you can use http://grokdebug.herokuapp.com/ to verify your filter.

Note: I have used basic patterns, there are complex patterns available and you can play around with the debugger to suit your requirements.

Good luck!

What is the GROK pattern for this log?

1 Answers1