Search code examples
logstashlogstash-grok

Grok pattern for data separated by pipe


I have a logfile in which the data is separated by a pipe symbol. "|". An example is below. Does anyone know how to write a GROK pattern to extract it for logstash?

2014-01-07 11:58:48.7694|LOGLEVEL|LOGSOURCE|LOGMESSAGE


Solution

  • You can use gsub API to change the pipe "|" to space and the use GROK to extract it.

    For example:

    filter {
        grok {
                match => ["message","%{DATESTAMP:time}\|%{WORD:LOGLEVEL}\|%{WORD:LOGSOURCE}\|%{WORD:LOGMESSAGE}"]
        }
    }
    

    The above configuration is worked on me with your log. Hope this can help you.