So I have the following log message:
[localhost-startStop-1] SystemPropertiesConfigurer$ExportingPropertyOverrideConfigurer loadProperties > Loading properties file from class path resource [SystemConfiguration.overrides]
I'm trying to match the first thread ( [localhost-startStop-1] ) with the following pattern:
EVENT_THREAD (\[.+?\])
This works when I pass it into regex101.com but doesn't work when I represent it as
%{(\[.+?\]):EVENT_THREAD} on grokdebugger for reasons unknown to me...
Can someone help me understand this?
Thanks,
See Grok help:
Sometimes logstash doesn’t have a pattern you need. For this, you have a few options.
First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:
(?<field_name>the pattern here)
So, use (?<EVENT_THREAD>\[.+?\]).
Alternately, you can create a custom patterns file.
Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.
# contents of ./patterns/postfix:
EVENT_THREAD (?:\[.+?\])
Then use the
patterns_dirsetting in this plugin to tell logstash where your custom patterns
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{EVENT_THREAD:evt_thread}" }
}
}