What is the best way to parse this kind of log with grok?
2019-03-15 14:42:38,910 INFO [SID:6cd1c3cc-7fb0-4a06-8d4d-e125382568ca] [CID:60c24e3e-c8f9-43e4-bedf-59e861bfabf9] [http-bio-8080-exec-3] [TariffRuleServiceImpl.java:569] no approach by ShouldAddApproachToFixedPrice checkbox : false
I would like to get this kind of result:
{
"date": [
"19-03-15"
],
"time": [
"14:42:38,910"
],
"level": [
"INFO"
],
"SID": [
"6cd1c3cc-7fb0-4a06-8d4d-e125382568ca"
],
"CID": [
"60c24e3e-c8f9-43e4-bedf-59e861bfabf9"
],
"thread": [
"http-bio-8080-exec-3"
],
"class": [
"TariffRuleServiceImpl.java:569"
],
"message": [
"no approach by ShouldAddApproachToFixedPrice checkbox : false"
]
}
But I am stuck here: %{DATE:date} %{TIME:time} %{WORD:level} ...? How to get data inside [...]? Thanks a lot
The main idea of your Grok pattern should be to skip the square brackets with a backslash as for example \[. Once you have skipped them you can use a regular pattern to match your elements. Something like this would work as you want:
%{DATE:date} %{TIME:time} %{WORD:level} \[SID:%{DATA:SID}\] \[CID:%{DATA:CID}\] \[%{DATA:thread}] \[%{DATA:class}] %{GREEDYDATA:message}
Also, realize that you have two spaces between the level and the [SID and this could be making your pattern not to match depending on your construction.