Rohan Singh Rohan Singh - 3 months ago 11
JSON Question

How to use regex for config files in this use case?

I am using LogStash which accepts data from a log file, which has different types of logs.

I tried this:

filter {
grok {
match => { "message" => "%{WORD:tag} %{WORD:message} %{WORD:value}
}
}


But it doesn't work.

Answer

I am using the grok filter to check if the log line is of one format.

If the grok filter cannot parse the log line (such as with the json lines), _grokparsefailure will be added to the tags. You can then use this tag to differentiate between the two log type.

filter { 
    grok {
        match => {
        "message"=> 
            "tag: %{GREEDYDATA:tag} message: %{GREEDYDATA:message} value: %{WORD:value}"
        }
    }

    if "_grokparsefailure" in [tags] {
        json {
            source => message
        }
    }
}

To test your grok pattern, Grok Constructor is a good tool.

Comments