Grok parsing issue using parsing log containing text starting [date] [hostname] - logstash

I am trying to parse below log using grok
[2018-10-06 12:04:03:0227] [MYMACHINENAME]
and the grok expression which I used is
/[%{DATESTAMP:date}/] /[%{WORD:data}%/]
and this expression is not working. I tried to replace WORD with hostname even then it not working and if I try to either of the matchers alone then it works.
Can anyone provide me the better tutorial pages to learn grok expressions?

There are few errors in your pattern.
First off, you escape character using backslash / not forward slash \. Second, you don't need % to match ] in the end.
Third, DATESTAMP doesn't match your date pattern, you need TIMESTAMP_ISO8601.
Your final pattern should become,
\[%{TIMESTAMP_ISO8601}\] \[%{WORD}\]

Regex pattern DATESTAMP is not correct for your string. Try using TIMESTAMP_ISO8601.
Here you can see all grok regex patterns: grok-patterns.

Related

Logstash Grok regex expression works fine alone but doesn't work when grouped with other grok expressions

My grok expression works fine when used with the matching string alone but when I use this grok expression with other grok expressions to capture other data that's also present in the log line, it doesn't match with the same matching string.
Case1: Below grok expression is working fine when running alone for the below log string and the value is captured in the field targetMessage
Log string: Tracking : sent request to msgDestination
Grok expression: (?<targetMessage>^Tracking : (?:received response from|sent request to) msgDestination$)
Case2: When I try to run the expression with other some other data also present in the log string it doesn't work i.e. grok expression doesn't match with the same string as used above.
Log string:
2022-11-26 8:16:39,873 INFO [task.SomeTask] Tracking : sent request to msgDestination : MODULE1|SERVICE1|20220330051054|TASK1
Grok expression: %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} \[(?<classname>[^\]]+)\] (?<targetMessage>^Tracking : (?:received response from|sent request to) msgDestination$) : %{WORD:moduleName}\|%{WORD:service}\|%{INT:requestId}\|%{WORD:taskName}
Debug tool used: https://grokdebug.herokuapp.com/
If anyone can please suggest what mistake I'm making here?
^ and $ anchor an expression to the start and end of a line respectively. You have both inside the targetMessage custom pattern, and that is in the middle of the line, so neither one matches. Remove both ^ and $

Grok filter is not working when id has dashes

I have a sample input like below.
[2022-01-06 19:51:42,143] [http-nio-8080-exec-7] DEBUG [50a4f8740c30b9ca,c1b11682-1eeb-4538-b7f6-d0fb261b3e1d]
I implemented a grok filter to validate the text.
\[%{TIMESTAMP_ISO8601:timestamp}\] \[(?<threadname>[^\]]+)\] %{LOGLEVEL:logLevel} \[%{WORD:traceId},%{WORD:correlationId}\]
When I validate it, it says there are no matches.
But If I remove - in correlation id, that filter is working fine. Is there any modification to do to the filter to accept - in the correlation id?
Try this.
\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:threadName}\] %{LOGLEVEL:logLevel} \[%{DATA:traceId},%{DATA:correlationId}\]
Acording to this %{WORD} pattern is defined by this regular expression \b\w+\b
\w captures alphanumeric
\b captures word boundaries. It helps you to perform whole words only
So if your original text contains a - it will never be capturing it.
You can try %{DATA} instead as it captures .*?

Logstash Grok pattern to cut split a string and remove last part

Below is the field that is filebeat log path, that I need to split with delimiter '/' and remove the log file name in the text.
"source" : "/var/log/test/testapp/c.log"
I need only this part
"newfield" : "/var/log/test/testapp"
If you do a little of research you can find that this is a trivial question and it has not much complexity. You can use grok-patterns to match the interesting parts and differentiate the one you want to retrieve from the one you don't.
A pattern like this will match as you expected, having the newfield as you desire:
%{GREEDYDATA:newfield}(/%{DATA}.log)
Anyway, you can test your Grok patterns with this tool, and here you have some usefull grok-patterns. I recommend you to take a look to those resources.

grok pattern for jmeter

i am trying to parse the below log
2015-07-07T17:51:30.091+0530,857,SelectAppointment,Non HTTP response code: java.net.URISyntaxException,FALSE,8917,20,20,0,1,1,byuiepsperflg01
Now I am unable to parse Non HTTP response code: java.net.URISyntaxException in one field. Please help be build the pattern
This is the pattern I'm using
%{TIMESTAMP_ISO8601:log_timestamp}\,%{INT:elapsed}\,%{WORD:label}\,%{INT:respons‌ecode}\,%{WORD:responsemessage}\,%{WORD:success}\,%{SPACE:faliusemessage}\,%{INT:‌​bytes}\,%{INT:grpThreads}\,%{INT:allThreads}\,%{INT:Latency}\,%{INT:SampleCount}\‌​,%{INT:ErrorCount}\,%{WORD:Hostname}
If you paste your input and pattern into the grok debugger, it says "Compile ERROR". It might be an SO problem, but you had some weird characters in your pattern ("<200c><200b>").
The trick to building custom patterns is to start at the left side and pull one piece off at a time. With that, you would notice that this partial pattern works:
%{TIMESTAMP_ISO8601:log_timestamp},%{INT:elapsed},%{WORD:label}
but this one returns "No Matches":
%{TIMESTAMP_ISO8601:log_timestamp},%{INT:elapsed},%{WORD:label},%{INT:respons‌​ecode}
because you don't have an integer in that position.
Continue adding fields one at a time until everything you want is matched.
Note that you don't have to escape the commas.

Lua Pattern for extracting/replacing value in / /

I have a string like hello /world today/
I need to replace /world today/ with /MY NEW STRING/
Reading the manual I have found
newString = string.match("hello /world today/","%b//")
which I can use with gsub to replace, but I wondered is there also an elegant way to return just the text between the /, I know I could just trim it, but I wondered if there was a pattern.
Try something like one of the following:
slashed_text = string.match("hello /world today/", "/([^/]*)/")
slashed_text = string.match("hello /world today/", "/(.-)/")
slashed_text = string.match("hello /world today/", "/(.*)/")
This works because string.match returns any captures from the pattern, or the entire matched text if there are no captures. The key then is to make sure that the pattern has the right amount of greediness, remembering that Lua patterns are not a complete regular expression language.
The first two should match the same texts. In the first, I've expressly required that the pattern match as many non-slashes as possible. The second (thanks lhf) matches the shortest span of any characters at all followed by a slash. The third is greedier, it matches the longest span of characters that can still be followed by a slash.
The %b// in the original question doesn't have any advantages over /.-/ since the the two delimiters are the same character.
Edit: Added a pattern suggested by lhf, and more explanations.

Resources