DMack
Reputation: 51
Logstash grok square brackets
I'm trying to get some sort of grok pattern to work with the following logging format :
*Sun 07:05:18.372 INFO [main] [userID] perf - 0ms - select x from y
The problem I'm having is the field in square brackets that I've annotated here as userID. Sometimes this field is populated and at other times it is not. If I use the grok pattern below :
*%{DAY:Day} %{TIME:Time} %{LOGLEVEL:Loglevel}\s+(\[%{WORD:module}\]\s+)(\[%{HOSTNAME:id}\]\s+)%{GREEDYDATA:logline}*
It parses correctly as long as there is some data in the UserID field. If that field is empty ( example below ) it doesn't match. Any ideas gratefully received!
*Sun 07:05:18.372 INFO [main] [] perf - 0ms - select x from y
Upvotes: 5
Views: 17483
Answers (2)
Markus
Reputation: 2183
the question is not about the escaping of the [] a simple zero or more operator (?) should do it:
(?\[%{WORD:module}?]\s+)
(the second ?)
Upvotes: 0
Erez Rabih
Reputation: 15808
Did you try to escape the brackets with backward slash?
As in \[%{WORD:module}\]
Upvotes: 9
Related Questions
- How to write the grok expression for my log?
- Grok parse data inside square brackets
- getting rid of colon in grok
- Grok Parsing Failure in logstash with Pattern That Includes Square Brackets
- List of SYNTAX for logstash's grok
- grok expression to pull string with in brackets
- Logstash grok for special character
- Logstash grok pattern issue
- Logstash Grok parser
- Logstash Grok Pattern