Develop Reference

Regex group from within custom grok pattern

I'm trying to create custom grok patterns to extract various data using logstash and am wracking my brain getting the syntax correct to pull the regex group 1 equivalent from my log rows. I've looked at a ton of threads on this over the past 2 days, but nothing's out there that fits my example, and none of the canned grok patterns seem like they will pull the value I need.
3 example log file rows look similar to this (with abbreviated data for the examples):
2022-04-07 12:52:06,184:INFO :Thread-70_SCHEDULE.0001: MsgID=63759111848731967
2022-04-07 07:23:39,876:INFO :Thread-53_OrderInterfaceIntServer: MsgID=21316889724753182|
07:23:40,482 INFO [stdout] (http-/0.0.0.0:8080-20) 2022-04-07 07:23:40,482:ERROR
I want to create a custom grok pattern called SERVICE that extracts a pattern match using a regex match string:
Thread-[0-9]{2}_(.*?)\:
that for the 3 rows would return:
SCHEDULE.0001
OrderInterfaceIntServer
""
In the log:
SERVICE will always be prefixed by "Thread-xx_" where xx = 2-digit number followed by underscore. Some logs may not have this pattern at all (like row 3). In that case, no match.
SERVICE is always followed by a colon
In grok, I can define this in 2 ways:
SERVICE Thread-[0-9]{2}_(.*?)\:
or as a field using (?<service>Thread-[0-9]{2}_(.*?)\:)
however, for row 1, I get the response value of:
{
"service": [
[
"Thread-70_SCHEDULE.0001:"
]
]
}
What I want is:
{
"service": [
[
"SCHEDULE.0001"
]
]
}
Which is the equivalent of the regex group 1 response. I can't figure out how to manage the grok patterns to get the result I need.

You do not have to include all of the pattern in the capture group. You can use
grok { match => { "message" => "Thread-[0-9]{2}_(?<service>.*?):" } }
That will result in
"service" => "SCHEDULE.0001",
"service" => "OrderInterfaceIntServer",
and a "_grokparsefailure" tag on the third event.

Logstash difference between add_field and replace

What is the difference between add_field and replace, when configuring Logstash?
Semantically, they might expected to do different things, but the current manual does not have anything to say about how the two functions differ depending on the pre-existance of the relevant fields.
Example 1:
filter {
mutate {
add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
}
}
The manual does not say what the expected behavour is if the field already exists. Is the behaviour the same as replace?
Example 2:
filter {
mutate {
replace => { "message" => "%{source_host}: My new message" }
}
}
Once again the manual does not say what the expected behaviour is if the field does not already exist. Is it the same as add_field?

Semantically, they might seem equivalent but they are different as add_field might not always kick in.
replace is part of the mutate filter and if you're looking at the source code of that plugin, you'll see that replace will always set a field even if it doesn't exist:
def replace(event)
#replace.each do |field, newvalue|
event.set(field, event.sprintf(newvalue))
end
end
add_field, however, is a generic configuration of any input and filter plugins and you'll often see in the documentation of some specific filter plugins something like this (e.g. for the grok filter):
If this filter is successful, add any arbitrary fields to this event. [...]
This configuration is inherited from LogStash::Filters::Base, which is the superclass of all filter plugins. This means that in certain filter plugins, in order for add_field to actually add the field, the filter must be successful, otherwise no fields is added.
So in your case, mutate/replace will always set a field even if it doesn't exist, and mutate/add_field will add the specified fields after running all the operations of the mutate filter.
So if you have a mutate filter that does some specific operation like gsub and fails for some reason, no fields will be added as a result.

How to define grok pattern for pipe delimited log message?

setting up ELK is very easy until you hit the logstash filter. I have a log delimited 10 fields. I may have some field blank but I am sure there will be 10 fields:
7/5/2015 10:10:18 AM|KDCVISH01|
|ClassNameUnavailable:MethodNameUnavailable|CustomerView|xwz261|ef315792-5c41-4bdf-aa66-73317e82e4d6|52|6182d1a1-7916-4874-995b-bc9a23437dab|<Exception>
afkh akla 487234 &*<Exception>
Q:
1- I am confused how grok or regex pattern will pick only the field that I am looking and not the similar match from another field. For example, what is the guarantee that DATESTAMP pattern picks only the first value and not the timestamp present in the last field (buried in stack trace)?
2- Is there a way to define positional mapping? For example, 1st fiels is dateTime, 2nd is machine name, 3rd is class name and so on. This will make sure I have fields displayed in Kibana no matter the field value is present or not.

I know i am little late, But here is a simple solution which i am using,
replace your | with space
option 1:
filter {
mutate {
gsub => ["message","\|"," "]
}
grok {
match => ["message","%{DATESTAMP:time} %{WORD:MESSAGE1} %{WORD:EXCEPTION} %{WORD:MESSAGE2}"]
}
}
option 2: excepting |
filter {
grok {
match => ["message","%{DATESTAMP:time}\|%{WORD:MESSAGE1}\|%{WORD:EXCEPTION}\|%{WORD:MESSAGE2}"]
}
}
it is working fine : http://grokdebug.herokuapp.com/. check here.

logstash grok filter for logs with arbitrary attribute-value pairs

(This is related to my other question logstash grok filter for custom logs )
I have a logfile whose lines look something like:
14:46:16.603 [http-nio-8080-exec-4] INFO METERING - msg=93e6dd5e-c009-46b3-b9eb-f753ee3b889a CREATE_JOB job=a820018e-7ad7-481a-97b0-bd705c3280ad data=71b1652e-16c8-4b33-9a57-f5fcb3d5de92
14:46:17.378 [http-nio-8080-exec-3] INFO METERING - msg=c1ddb068-e6a2-450a-9f8b-7cbc1dbc222a SET_STATUS job=a820018e-7ad7-481a-97b0-bd705c3280ad status=ACTIVE final=false
I built a pattern that matched the first line:
%{TIME:timestamp} %{NOTSPACE:http} %{WORD:loglevel}%{SPACE}%{WORD:logtype} - msg=%{NOTSPACE:msg}%{SPACE}%{WORD:action}%{SPACE}job=%{NOTSPACE:job}%{SPACE}data=%{NOTSPACE:data}
but obviously that only works for lines that have the data= at the end, versus the status= and final= at the end of the second line, or other attribute-value pairs on other lines? How can I set up a pattern that says that after a certain point there will be an arbitrary of foo=bar pairs that I want to recognize and output as attribute/value pairs in the output?

You can change your grok pattern like this to have all the key value pairs in one field (kvpairs):
%{TIME:timestamp} %{NOTSPACE:http} %{WORD:loglevel}%{SPACE}%{WORD:logtype} - %{GREEDYDATA:kvpairs}
Afterwards you can use the kv filter to parse the key value pairs.
kv {
source => "kvpairs"
remove_field => [ "kvpairs" ] # Delete the field afterwards
}
Unfortunately, you have some simple values inside your kv pairs (e.g. CREATE_JOB). You could parse them with grok and use one kv filter for the values before and another kv filter for the values after those simple values.

Logstash: Reading multiline data from optional lines

I have a log file which contains lines which begin with a timestamp. An uncertain number of extra lines might follow each such timestamped line:
SOMETIMESTAMP some data
extra line 1 2
extra line 3 4
The extra lines would provide supplementary information for the timestamped line. I want to extract the 1, 2, 3, and 4 and save them as variables. I can parse the extra lines into variables if I know how many of them there are. For example, if I know there are two extra lines, the grok filter below will work. But what should I do if I don't know, in advance, how many extra lines will exist? Is there some way to parse these lines one-by-one, before applying the multiline filter? That might help.
Also, even if I know I will only have 2 extra lines, is the filter below the best way to access them?
filter {
multiline {
pattern => "^%{SOMETIMESTAMP}"
negate => "true"
what => "previous"
}
if "multiline" in [tags] {
grok {
match => { "message" => "(?m)^%{SOMETIMESTAMP} %{DATA:firstline}(?<newline>[\r\n]+)%{DATA:secondline}(?<newline>[\r\n]+)%{DATA:thirdline}$" }
}
}
# After this would be grok filters to process the contents of
# 'firstline', 'secondline', and 'thirdline'. I would then remove
# these three temporary fields from the final output.
}
(I separated the lines into separate variables since this allows me to do additional pattern matching on the contents of the lines separately, without having to refer to the entire pattern all over again. For example, based on the contents of the first line, I might want to present branching behavior for the other lines.)

Why do you need this?
Are you going to be inserting one single event with all of the values or are they really separate events that just need to share the same time stamp?
If they all need to appear in the same event, you'll like need to resort to a ruby filter to separate out the extra lines into fields on the event that you can then further work on.
For example:
if "multiline" in [tags] {
grok {
match => { "message" => "(?m)^%{SOMETIMESTAMP} %{DATA:firstline}(?<newline>[\r\n]+)" }
}
ruby {
code => '
event["lines"] = event["message"].scan(/[^\r\n]+[\r\n]*/);
'
}
}
If they are really separate events, you could use the memorize plugin for logstash 1.5 and later.

This has changed over versions of ELK
Direct event field references (i.e. event['field']) have been disabled in favor of using event get and set methods (e.g. event.get('field')).
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logtime} %{LOGLEVEL:level}%{DATA:firstline}" }
}
ruby { code => "event.set('message', event.get('message').scan(/[^\r\n]+[\r\n]*/))" }
}