Ronald Flores
Reputation: 3
Logstash pattern for log4j
I'm setting up Elasticsearch, Logstash and Kibana. I encountered an error when I am configuring "logstash.conf". Here's the error I got.
{:timestamp=>"2015-05-25T21:56:59.907000-0400", :message=>"Error: Expected one of #, {, ,, ] at line 12, column 49 (byte 265) after filter {\n grok {\n match => [\"message\", \"<log4j:event logger=\""}
{:timestamp=>"2015-05-25T21:56:59.915000-0400", :message=>"You may be interested in the '--configtest' flag which you can\nuse to validate logstash's configuration before you choose\nto restart a running system."}
This is my logstash.conf
grok {
match => ["message", "<log4j:event logger="%{DATA:emitter}" timestamp="%{BASE10NUM:timestamp}" level="%{LOGLEVEL:level}" thread="%{DATA:thread}">, <log4j:message><%{GREEDYDATA:message}></log4j:message>" ]
}
I am new to ELK.
Upvotes: 0
Views: 829
Answers (1)
Magnus Bäck
Reputation: 11571
Since your grok pattern contains double quotes you have to either
- escape the double quotes inside the expression by preceding them with a backslash, or
- use single quotes as the pattern string delimiter.
Example 1:
grok {
match => ["message", "<log4j:event logger=\"%{DATA:emitter}\" ..." ]
}
Example 2:
grok {
match => ["message", '<log4j:event logger="%{DATA:emitter}" ...' ]
}
Upvotes: 0
Related Questions
- A complicated logstash pattern in Grok
- grok pattern for log event
- what will be the Grok pattern for this custom log pattern?
- grok filter for processing log4j logs pattern in Logstash
- Custom Grok Pattern for logs
- Multiple patterns in one log
- DATA pattern in logstash - grok
- logstash grok build in pattern for java.util.logging LOGLEVEL
- What should be the logstash grok filter for this log4j log?
- Logstash grok pattern issue