Timothy Clotworthy
Reputation: 2522
Grok Parsing Failure in logstash with Pattern That Includes Square Brackets
I have a log pattern where every log element is enclosed in square brackets. I can't control the original log. I just want the grok parsing to ignore the brackets and only interpret what's between them. Based on something close to the following line:
2019-04-04 13.23.57.057 [52] [77] [MEASURE] [XYZService]
, I want the pattern to see the 52 as a threadId. I have the following code:
if [message] =~ "MEASURE" {
grok {
match => { " message" => "%{TIMESTAMP_ISO8601:logtime} [%{NUMBER:threadId}] %{GREEDYDATA:restofmessage}" }
}
}
else {
drop()
}
In this state, I get a grokparsefailure when logstash attempts to interpret the line. I am certain its only related to the bracketed portion, because when I remove that pattern, every works fine. I would be grateful for any ideas what I am doing wrong. Thanks
Upvotes: 0
Views: 248
Answers (1)
Timothy Clotworthy
Reputation: 2522
nevermind. I got it to work by escaping the brackets like this: \ [ %{NUMBER:threadId} \ ]
Upvotes: 1
Related Questions
- GROK Parsing with regex
- logstash log parsing with regex and grok
- Grok parse data inside square brackets
- Logstash grok square brackets
- grok parsing issue
- Grok Pattern not working in Logstash
- Logstash grok pattern issue
- Getting logstash log parse error: grokparsefailure
- GROK Pattern Works with GROK Debugger but not in Logstash GROK
- Logstash grok parse error parsing log file