Menu
This is my first experience with using grok and elasticsearch. I'm trying to write a grok file to do parse the following line.
2017-07-25 10:48:23,477 [[api-my-app-v1-20.0.0].apiHttpListenerConfig.worker.58] INFO esb.api-my-app-v1.get-blah.http.response - transactionID=f61b8053-70d2-11e7-b274-3639cc5335d0 creationTime=2017-07-25T10:48:23.254+10:00 txnState=END timeTaken=11
So far I have written this grok...
%{TIMESTAMP_ISO8601:timestamp}\s+%{DATA:thread}\s+%{LOGLEVEL:loglevel}\s+%{JAVACLASS:category}\s+-\s+%{GREEDYDATA:msgbody}
It gives me back this....
{
"timestamp": [
[
"2017-07-25 10:48:23,477"
]
],
"YEAR": [
[
"2017"
]
],
"MONTHNUM": [
[
"07"
]
],
"MONTHDAY": [
[
"25"
]
],
"HOUR": [
[
"10",
null
]
],
"MINUTE": [
[
"48",
null
]
],
"SECOND": [
[
"23,477"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"thread": [
[
"[[api-my-app-v1-20.0.0].apiHttpListenerConfig.worker.58]"
]
],
"loglevel": [
[
"INFO"
]
],
"category": [
[
"esb.api-my-app-v1.get-blah.http.response"
]
],
"msgbody": [
[
"transactionID=f61b8053-70d2-11e7-b274-3639cc5335d0 creationTime=2017-07-25T10:48:23.254+10:00 txnState=END timeTaken=11"
]
]
}
This is almost what I want. How can I split the msgbody from my current result into key value pairs?
thanks
741
With the kv filter:
kv {
source => "msgbody"
}
you'll have the key-pair values from the msgbody in fields in your result. Also you won't have to change your grok pattern if the keys change.
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
