Nhan Nguyen
Reputation: 1
Parse log with Grok
I am new with Grok and i have a log message. I need to parsing to 3 fields : IP / Date & time and the rest. Please give me advice.
here is what i tried, can not split date / time & the rest message
Thanks everyone
Upvotes: 0
Views: 148
Answers (1)
user25009716
Reputation: 196
You can see some default pattern in grok-pattern.json
First you need to define the custom pattern called DATESTAMP_CUSTOM to match your time string.
%{MONTHDAY}/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE}
And use it in grok pattern
%{IPORHOST:ip} - - \[%{DATESTAMP_CUSTOM:dts}\] %{GREEDYDATA:rest}
Output in grok debugger
[
{
"ip": "127.0.0.1",
"dts": "31/Mar/2022:21:40:35 -0500",
"rest": "\"POST /dispatcher-918200/dispReceiver HTTP/1.1\" 200 "
}
]
Add by logstash
Write a pattern file that contained the line
# contents of ./patterns/datestamp_custom:
DATESTAMP_CUSTOM %{MONTHDAY}/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE}
Use patterns_dir setting to tell logstash where your custom patterns directory is.
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{IPORHOST:ip} - - \[%{DATESTAMP_CUSTOM:dts}\] %{GREEDYDATA:rest}" }
}
}
Upvotes: 0