Search code examples
node.jslogstash-grok

trouble using grok module in nodejs

I'm trying to parse some logs in node using grok and it seems to work in the grok debugger but not when I run it in node.

In http://grokdebug.herokuapp.com/ I do:

Input: [2016-02-01 15:29:02,039] INFO [Replica state machine on controller 0]: Invoking state change to OnlineReplica for replicas [Topic=elk-test,Partition=0,Replica=0] (kafka.controller.ReplicaStateMachine)

Pattern: \[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{DATA:message1}\]: %{GREEDYDATA:message2}

which outputs this:

{
  "timestamp": [
    [
      "2016-02-01 15:29:02,039"
    ]
  ],
  "YEAR": [
    [
      "2016"
    ]
  ],
  "MONTHNUM": [
    [
      "02"
    ]
  ],
  "MONTHDAY": [
    [
      "01"
    ]
  ],
  "HOUR": [
    [
      "15",
      null
    ]
  ],
  "MINUTE": [
    [
      "29",
      null
    ]
  ],
  "SECOND": [
    [
      "02,039"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ],
  "level": [
    [
      "INFO"
    ]
  ],
  "message1": [
    [
      "Replica state machine on controller 0"
    ]
  ],
  "message2": [
    [
      "Invoking state change to OnlineReplica for replicas [Topic=elk-test,Partition=0,Replica=0] (kafka.controller.ReplicaStateMachine)"
    ]
  ]
}

In nodejs, I try to do it like this:

'use strict';

var nodegrok = require('node-grok');
var Regex = require("regex");
var zlib = require('zlib');

var str2 = '[2016-02-01 15:29:02,039] INFO [Replica state machine on controller 0]: Invoking state change to OnlineReplica for replicas [Topic=elk-test,Partition=0,Replica=0] (kafka.controller.ReplicaStateMachine)'

var p2 = '\[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{DATA:message1}\]: %{GREEDYDATA:message2}'


var patterns = require('node-grok').loadDefaultSync();
var pattern = patterns.createPattern(p2)
console.log('pattern:', pattern.parseSync(str2));

but get this error then:

/Users/usrxxx/kafka_process_lambda/node_modules/node-grok/node_modules/oniguruma/lib/onig-reg-exp.js:9
      this.scanner = new OnigScanner([this.source]);
                     ^

Error: empty range in char class
    at Error (native)
    at new OnigRegExp (/Users/usrxxx/kafka_process_lambda/node_modules/node-grok/node_modules/oniguruma/lib/onig-reg-exp.js:9:22)
    at GrokPattern.t.parseSync (/Users/usrxxx/kafka_process_lambda/node_modules/node-grok/lib/index.js:38:24)
    at Object.<anonymous> (/Users/usrxxx/kafka_process_lambda/index.js:12:33)
    at Module._compile (module.js:409:26)
    at Object.Module._extensions..js (module.js:416:10)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Function.Module.runMain (module.js:441:10)
    at startup (node.js:139:18)
Solution

  • As is evident from the example, you need to escape the characters [ and ] correctly. So, in your code, change...

    var p2 = '\[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:level} \[%{DATA:message1}\]: %{GREEDYDATA:message2}'

    ...to:

    var p2 = '\\[%{TIMESTAMP_ISO8601:timestamp}\\] %{LOGLEVEL:level} \\[%{DATA:message1}\\]: %{GREEDYDATA:message2}'

    And then your code outputs:

    $ node app.js 
pattern: { timestamp: '2016-02-01 15:29:02,039',
  level: 'INFO',
  message1: 'Replica state machine on controller 0',
  message2: 'Invoking state change to OnlineReplica for replicas [Topic=elk-test,Partition=0,Replica=0] (kafka.controller.ReplicaStateMachine)' }