How to write custom grok for logstash

Question

I'm trying to test the some custom log filter for logstash but somehow i'm not able to get it, I googled and looked over many examples but I am not able to create a one I want.

Below is my log patterns:

testhost-in2,19/01/11,06:34,04-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:00 rm -rf /test/ehf/users/arnav-090119-184844,/dv/ehf/users/arnav-090119-
testhost-in2,19/01/11,06:40,09-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:00 rm -rf /dv/ehf/users/arnav-090119-184844,/dv/ehf/users/arnav-090119-\
testhost-in2,19/01/11,06:45,14-mins,arnav,arnav 2427 0.1 0.0 58980 580 ? S 06:30 0:01 rm -rf /dv/ehf/users/arnav-090119-184844,/dv/ehf/users/arnav-090119-\

below is what I trying to create but does not works.

HOSTNAME:hostname  DATE:date HOURS_Time:hour_min  USERNAME: username USERNAME:username  NUMBER:pid   COMMAND

any help Will be much appreciated.

Tried:

%{HOSTANME}%{TIMESTAMP_ISO8601:RecordedDateTimeStamp} %{USERNAME:User} %{USERNAME:User} %{NUMBER:PID} %{FLOAT:mem} %{FLOAT:res}  %{NUMBER:PID} %{NUMBER:PID} %{GREEDYDATA}

AND

%{HOSTANME}%{TIMESTAMP_ISO8601}%{HOUR}%{MINUTE}%{NUMBER}%{WORD}%{USER}%{USER}%{NUMBER: pid}%{NUMBER:float}%{NUMBER:float}%{NUMBER}%{NUMBER}%{GREEDYDATA}

@Val, I Just updated in post but i'm not getting exactly it. — krock1516, Jan 12 '19 at 14:29

score 2 · Accepted Answer · answered Jan 12 '19 at 15:49

2

Great start! Here is a grok pattern that should work better:

%{HOSTNAME:hostname},%{DATE:date},%{HOUR:hour1}:%{MINUTE:minute1},%{NUMBER}-%{WORD},%{USER:user},%{USER:user2} %{NUMBER:pid} %{NUMBER:float} %{NUMBER:float} %{NUMBER:number1} %{NUMBER:number2} %{DATA} %{HOUR:hour2}:%{MINUTE:minute2} %{HOUR:hour3}:%{MINUTE:minute3} %{GREEDYDATA:command},%{PATH:path}

answered Jan 12 '19 at 15:49

Val

207,596
13
358
360

@ Val, as always very nice and great Solution, I love your style and unique expertise on the Subject. Thnx a mile. – krock1516 Jan 12 '19 at 15:55
Thanks! Always glad to help out when I can ;-) – Val Jan 12 '19 at 15:55
You are my mentor on this Subject always! Thx a mile again. Do you Know where I can look for these grok patterns & explanation apart from One on the GitHub [grok](https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns). – krock1516 Jan 12 '19 at 15:58
You can start with this good article: https://logz.io/blog/logstash-grok/ – Val Jan 12 '19 at 16:02

How to write custom grok for logstash

1 Answers1

Linked