Menu
I have a logfile in which the data is separated by a pipe symbol. "|". An example is below. Does anyone know how to write a GROK pattern to extract it for logstash?
2014-01-07 11:58:48.7694|LOGLEVEL|LOGSOURCE|LOGMESSAGE
456
You can use gsub API to change the pipe "|" to space and the use GROK to extract it.
For example:
filter {
grok {
match => ["message","%{DATESTAMP:time}\|%{WORD:LOGLEVEL}\|%{WORD:LOGSOURCE}\|%{WORD:LOGMESSAGE}"]
}
}
The above configuration is worked on me with your log. Hope this can help you.
129
use this filter:
it works for me. use this site to verify grok patern, https://grokdebug.herokuapp.com/
(?<date>(([0-9]+)-*)+ ([0-9]+:*)+.*)\|%{WORD:LOGLEVEL}\|%{WORD:LOGSOURCE}\|%{WORD:LOGMESSAGE}
This worked for me
grok { match => ["message","%{DATESTAMP:time}\|%{WORD:LOGLEVEL}\|%{WORD:LOGSOURCE}\|%{WORD:LOGMESSAGE}"] }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
