How to put regex group to field with grok
Posted: Fri May 27, 2016 6:53 am
Hi,
we are currently evaluating nagios logserver.
Via nxlog we are moving logfiles in json codec to logstash.
log lines may be the following example:
thats the logical format:
time.serviceName.someNumbers:logLevel: logmessage
I would use following regex to extract my needed values:
result of first line:
$1=service1
$2=WARN
$3= This is a warning message
I am so far that I can put $1 and $3 into fields, with grok:
but I do not know how to process $2.
Hopefully you can help me.
Regards, Andreas
PS: The timestamp here is not important for me, because we only have the time but no date here. The complete timestamp (date + time) will be combined by nxlog.
we are currently evaluating nagios logserver.
Via nxlog we are moving logfiles in json codec to logstash.
log lines may be the following example:
Code: Select all
001020.service1.5563:WARN: This is a warning message
001023.service2.5643.24.-5:ERROR: This is an error message
time.serviceName.someNumbers:logLevel: logmessage
I would use following regex to extract my needed values:
Code: Select all
^\d{6}.([^\.]+)[^\:]+:(INFO|WARN|ERROR):(.*)
$1=service1
$2=WARN
$3= This is a warning message
I am so far that I can put $1 and $3 into fields, with grok:
Code: Select all
^\d{6}.(%{WORD:service})[^\:]+:(INFO|WARN|ERROR):%{GREEDYDATA:message}
Hopefully you can help me.
Regards, Andreas
PS: The timestamp here is not important for me, because we only have the time but no date here. The complete timestamp (date + time) will be combined by nxlog.