Tag Archives: Logstash Grok designing

Logstash Custom Grok Pattern

Logstash provide some predefined grok pattern for some standard cases like URL , INT, GREEDYDATA, WORD etc. We can customize and define our own grok pattern also.

Why do we need customize Grok Pattern?

If our requirement is define our own grok pattern because need to configure on multiple configuration files for same pattern so that in future any thing change on pattern on log format just need to update on one place only and will reflect on all files.

How to define own Grok Pattern?

  • Go to Logstash installation directory and follow below path to edit grok-pattern file.
  • Grok-Pattern file define grok  in below form and same way we can define our own grok pattern.
Name regular expression for same
  • Consume define Grok Pattern  in your logstash configuration file for grok filter as given in below example.

Example : Suppose our requirement is to parse below log line and retrieve all information like Loglevel, timestamp, ClassName, threadNumber and logContent.

Log statement :

[DEBUG|20161226 134758 956] (ElasticManagerImpl@ExecuteThread: '297' for queue: 'weblogic.kernel.Default') {Using Weblogic-specific timeout values for context request. RequestTimeout: 7200000 RMIClientTimeout: 7200000}

As per our requirement  divide complete log line in sub part with different fields like as below.


timestamp: 20161226 134758 956

className: ElasticManagerImpl


logContent: Using Weblogic-specific timeout values for context request. RequestTimeout: 7200000 RMIClientTimeout: 7200000

for above parse information grok predefine patterns are there like LOGLEVEL for logs level , INT for thread number , WORD for className and GREEDYDATA for logContent but there is no grok pattern matching for timestamp so we can define our own pattern in grok-pattern file.


Grok Pattern for Logstash:

In Logstash configuration file will define grok pattern filter as given below.


match => {"message" => "(?m)^\[%{LOGLEVEL:loglevel}%{SPACE}*\|%{LOG_TIMESTAMP:timestamp \]\]%{SPACE}\(%{GREEDYDATA:className}@%{GREEDYDATA}%{NUMBER:threadNumber}%{GREEDYDATA}\)%{SPACE}\{+?%{GREEDYDATA:logContent\}" }


Issues Solution

For more Logstash issues solution follow link Common Logstash Issues.

Related Posts

Your Feedback Motivate Us

If our FacingIssuesOnIT Experts solutions guide you to resolve your issues and improve your knowledge. Please share your comments, like and subscribe to get notifications for our posts.

Happy Learning !!!