Richie
Reputation: 5199
writing grok pattern to split key value pairs
This is my first experience with using grok and elasticsearch. I'm trying to write a grok file to do parse the following line.
2017-07-25 10:48:23,477 [[api-my-app-v1-20.0.0].apiHttpListenerConfig.worker.58] INFO esb.api-my-app-v1.get-blah.http.response - transactionID=f61b8053-70d2-11e7-b274-3639cc5335d0 creationTime=2017-07-25T10:48:23.254+10:00 txnState=END timeTaken=11
So far I have written this grok...
%{TIMESTAMP_ISO8601:timestamp}\s+%{DATA:thread}\s+%{LOGLEVEL:loglevel}\s+%{JAVACLASS:category}\s+-\s+%{GREEDYDATA:msgbody}
It gives me back this....
{
"timestamp": [
[
"2017-07-25 10:48:23,477"
]
],
"YEAR": [
[
"2017"
]
],
"MONTHNUM": [
[
"07"
]
],
"MONTHDAY": [
[
"25"
]
],
"HOUR": [
[
"10",
null
]
],
"MINUTE": [
[
"48",
null
]
],
"SECOND": [
[
"23,477"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"thread": [
[
"[[api-my-app-v1-20.0.0].apiHttpListenerConfig.worker.58]"
]
],
"loglevel": [
[
"INFO"
]
],
"category": [
[
"esb.api-my-app-v1.get-blah.http.response"
]
],
"msgbody": [
[
"transactionID=f61b8053-70d2-11e7-b274-3639cc5335d0 creationTime=2017-07-25T10:48:23.254+10:00 txnState=END timeTaken=11"
]
]
}
This is almost what I want. How can I split the msgbody from my current result into key value pairs?
thanks
Upvotes: 5
Views: 6975
Answers (1)
baudsp
Reputation: 4100
With the kv filter:
kv {
source => "msgbody"
}
you'll have the key-pair values from the msgbody in fields in your result. Also you won't have to change your grok pattern if the keys change.
Upvotes: 5
Related Questions
- Grok pattern for data separated by pipe
- Logstash Grok pattern to cut split a string in the log line using regex
- A complicated logstash pattern in Grok
- LogStash dissect with key=value, comma
- Logstash grok multiple match
- Log parsing with dissect
- Logstash - Split characters in string into 2 fields
- Logstash pattern dealing with multiple matches
- Logstash GROK parsing of variable length set of key/value pairs
- grok pattern for extracting info in logstash