Search code examples
logstash-grokgrok

Grok expression to Parse Log data

I have just started using grok for logstash and I am trying to parse my log file line below using grok filter.

10.210.57.60 0x756682x2 connectadmin [12/May/2020:00:00:00 +0530] "GET /rest/auth/1/session HTTP/1.1" 200 286 456 "-" "Jersey/2.11 (HttpUrlConnection 1.8.0_171)" "1twyrho"

I am interested in : IP : 10.210.57.60 // user : connectadmin // timestamp : 12/May/2020:00:00:00 +0530 // URL : /rest/auth/1/session // Response Code : 200

I am currently stuck with the grok expression : %{IPV4:client_ip} %{WORD:skip_me1} %{USERNAME} by which I am able to get IP and username. Can you please help me proceed.

Thank You..

Solution

  • I have used grok debugger https://grokdebug.herokuapp.com/ to get the desired output. Below is the grok pattern that will match your requirement:

    %{IPV4:IP} %{GREEDYDATA:girbish} %{USERNAME:user} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{GREEDYDATA:girbish}

    Also, below is the screenshot of final output after using the grok pattern

    screenshot1 screenshot2 screenshot3

    Note: You can remove unnecessary fields using mutate filter of logstash.