My inputs lookes like:
"message" => "ERROR | [default task-55] my.package.className(Class.java:184) | - logstash-ERROR LOG\r",
my logstash configuration:
filter {
grok {
match => {"message" => "%{WORD:logLevel} | %{WORD:task} %{WORD:callfrom} | - %{WORD:logmessage}"}
}
}
my config xml file for log4j:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration xmlns="http://logging.apache.org/log4j/2.0/config">
<Appenders>
<File name="FILE" fileName="logfile.log" append="true">
<PatternLayout pattern="%p | [%t] %l | - %m%n"/>
</File>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%p | [%t] %l | - %m%n"/>
</Console>
</Appenders>
<Loggers>
<Logger name="com.memorynotfound" level="debug"/>
<Root level="info">
<AppenderRef ref="STDOUT"/>
<AppenderRef ref="FILE"/>
</Root>
</Loggers>
</Configuration>
in kibana i see that the logLevel is ok, i get the proper loglevel but the other words i cant get, what i missed from the filter? Thanks for the helps!
UPDATE
I tried this code:
^(%{WORD:logLevel}) (%{TASK_PATTERN:task}) (%{CLASS:callfrom}) (%{GREEDYDATA:logmessage})$
with my custom pattern:
TASK_PATTERN (^\[.*\]$)
CLASS .*\)
but yet it is find just the loglevel
It is probably possible to get even more specific than this, but according to grokconstructor, the following works:
%{WORD:level} \| \[%{WORD:task} %{NOTSPACE:callfrom}\] %{DATA:javaclass} \| - %{GREEDYDATA:message}
Remember, any unmatched characters such as | or [ still need to be accounted for within the grok. Also, these patterns are a good reference point for what you can do for free.