Logstash: searching for nested grok? Parsing a field into multiple fields?

Question

Logstash: searching for nested grok? Parsing a field into multiple fields?

I have journal entries that look like this ...

2014-02-25 00:00:03,936 INFO  - something happened...bla bla bla
2014-02-25 00:00:03,952 INFO  - ***Request Completed*** [   78.002] mS [http://cloud.mydomain.local/schedule/search?param=45]
2014-02-25 00:00:04,233 INFO  - something else happened...bla bla bla

I have a grok filter that parses strings correctly ...

grok {
    match => [ "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- %{GREEDYDATA:body}" ]
}

I would like to analyze additional data from the "body" if the "body" begins with "*** Request Completed ***". Namely, "elaspsedms" and "uri". How can i do this?

Elsewhere, it was suggested to add another entry to the grok filter, similar to this ...

grok {
    match => [ 
              "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- \*\*\*Request Completed\*\*\* \[%{SPACE}%{NUMBER:elaspedms}\] mS \[%{URI:uri}\]",
              "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- %{GREEDYDATA:body}"
             ]
}

... , "body" NOT. , , iff, , elapsedms uri.

, ?

? , "" elapsedms/uri, , . grok?

?

: , , "" , "elaspedms" "uri", "elaspedms"?

+4

grok parsing logstash

Tony 28 . '14 13:32

3

Tony · Answer 1 · 2014-02-28T14:25:38+0000

. ?

grok {
   match => [ 
          "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- \*\*\*Request Completed\*\*\* \[%{SPACE}%{NUMBER:elaspedms}\] mS \[%{URI:uri}\]",
          "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- %{GREEDYDATA:body}"
         ]
}

# if body is NOT set (timing line) make one
if ![body] {
    mutate { 
        add_field => [ "body", "***Request Completed*** [%{elapsedms}] mS [%{uri}]"] 
    }
}

Patrick Hoeffel · Answer 2 · 2015-12-01T19:11:15+0000

, , , Logstash 1.5.3:

grok {
   match => [ 
          "message", "%{TIMESTAMP_ISO8601:logdate} %{WORD:severity}%{SPACE}- %{GREEDYDATA:body}"
         ]
}

# if body is set (which should always be true, but it good to check anyway)
if [body] {
    grok {
       break_on_match => true
       match => [ 
          "body", "\*\*\*Request Completed\*\*\* \[%{SPACE}%{NUMBER:elaspedms}\] mS \[%{URI:uri}\]"
         ]
    }
}

, body, , "***Request Completed***", elapsedms uri. - - , , .

"break_on_match" , . true false.

body ( , ) , message.

GGGforce · Answer 3 · 2014-12-05T11:22:17+0000

, break_on_match grok false: http://logstash.net/docs/1.4.2/filters/grok#break_on_match

Logstash: searching for nested grok? Parsing a field into multiple fields?

More articles: