Reputation: 871
parsing custom log in Logstash
I want to ask your help in parsing my logs in custom format. I tried to use http://grokdebug.herokuapp.com/ for discover my log format, but unfortunately I didn't succeed. my log has the next format:
#AdressHost#TypeLogs|OrganizationName|[email protected]|CallMethod|ExecutionTimeOnDB|ExecutionTimeOnAppServer|Date Time
for example:
#mac.frozm.com#CallInfo|Jonsens|[email protected]|GetTotalsInfo|19|3|2014-05-11 07:49:10
I try to use the following pattern:
#%{URIHOST}#CallInfo|Jonsens|%{USER:auth}@%{URIPROTO}|GetTotalsInfo|%{NUMBER:duration}|0|%{DATESTAMP} %{TIME}
but Logstash keeps throwing "_grokparsefailure" Can you help me or might suggest another way for parsing log in the Logstash tool
Upvotes: 0
Views: 993
Answers (1)
Reputation: 98
This part:
GetTotalsInfo|19|3|
does not seem to match up with this part of your pattern:
GetTotalsInfo|%{NUMBER:duration}|0|
as you specify a 0 in the pattern where in your example you have a 3.
Here's a general piece of advice when building grok patterns. Do small pieces of the pattern at a time, and check to see if they work first before building up a larger pattern. You can use this to debug patterns that are giving you trouble, taking each individual piece and testing them.
For example, just start out with a pattern like this and check to see if it works:
"^#%{URIHOST}"
(the ^ is a regex anchor that guarantees there are no preceding characters) Build up from there.
I hope this helped!
Upvotes: 1
Related Questions
- Logstash grok filter : parsing custom application logs
- logstash log parsing with regex and grok
- How to write custom grok for logstash
- Log parsing with dissect
- Logstash custom log parsing
- Custom Grok Pattern for logs
- Trying to parse a custom log using grok
- Logstash Grok Filter - parsing custom file
- Logstash grok parse error parsing log file
- Logstash grok pattern to filter custom Log message