Search code examples
logstashlogstash-grok

How to put this GROK pattern to logstash.conf file?

I wrote a grok pattern using grok debugger for SAP logs but I don't know to use it in the Logstash configuration:

Grok pattern:

(?<AUDIt_LOG>[(0-9A-U]{0,4})(?<DATE>[0-9A-F]{8})%{INT:Log_Code}(?<Type>[a-zA-Z]{0,5})%{NOTSPACE:ServiceName} %{SPACE} %{NOTSPACE:Host} %{SPACE} %{WORD:Bank}&&%{WORD:BANK2}%{SPACE} %{WORD:USERNAME}

How do I use the grok filter to parse my log message?

Solution

  • Add this between your input plugin and output plugin in your logstash.conf file

    filter {
    grok {
         match => {
             "message" => "([(0-9A-U]{0,4})([0-9A-F]{8})%{INT:Log_Code}([a-zA-Z]{0,5})%{NOTSPACE:ServiceName}%{SPACE}%{NOTSPACE:Host}%{SPACE}%{WORD:Bank}&&%{WORD:BANK2}%{SPACE}%{WORD:USERNAME}"
         }
    }
}

    Read this for additional explanation.

    UPDATE:

    There was some space on grok pattern.

    Input 

    2AUK20170407183522001768800000D0itzpiascECCSERVICE SAPMSSY1 3001EDIN&&IDOC_INBOUND_ASYNCHRONOUS itzpiascs

    Output

    ServiceName 0itzpiascECCSERVICE
Log_Code    183522001768800000
BANK2       IDOC_INBOUND_ASYNCHRONOUS
USERNAME    itzpiascs
Bank        3001EDIN
Host        SAPMSSY1

    Hope this helps