How to parse date pattern using grok

Question

How to parse the below log line using grok Also how to match the pattern of the date. I tried %{TIMESTAMP_ISO8601:logtime} but no match

Log Line:

13-Nov-2019 00:00:20.230 DEBUG [[ACTIVE] ExecuteThread: '272' for queue: 'weblogic.kernel.Default (self-tuning)'] [196.157.7.12] 965929132 [wire] >> "[\n]"

Answer 1

The question is a bit unclear as to exactly what fields you want them mapped to.

So, here's what matches for me:

%{MONTHDAY:day}[-]%{MONTH:month}[-]%{YEAR:year} %{TIME:time} %{WORD:logtype} \[\[%{WORD:status}\] ExecuteThread: '%{NUMBER:threadNumber}' for queue: '%{GREEDYDATA:queueData}'\] \[%{IP:ip}\] %{NUMBER:numbers} \[%{WORD:text}\] >> "\[\\n\]"

The first 4 fields, answer your date/time pattern query and the rest is what I have used to fit the rest of the fields. Since, no exact mappings were provided , I have mapped them as per my understanding using

This is the output:

{
  "day": [
    [
      "13"
    ]
  ],
  "month": [
    [
      "Nov"
    ]
  ],
  "year": [
    [
      "2019"
    ]
  ],
  "time": [
    [
      "00:00:20.230"
    ]
  ],
  "logtype": [
    [
      "DEBUG"
    ]
  ],
  "status": [
    [
      "ACTIVE"
    ]
  ],
  "threadNumber": [
    [
      "272"
    ]
  ],
  "queueData": [
    [
      "weblogic.kernel.Default (self-tuning)"
    ]
  ],
  "ip": [
    [
      "196.157.7.12"
    ]
  ],
  "numbers": [
    [
      "965929132"
    ]
  ],
  "text": [
    [
      "wire"
    ]
  ]
}

You can break 'time' further if you want. For any other combinations of patterns, refer Grok Patterns.