Commonly used Logstash Grok Pattern Examples
Example 1
Use of grok sematic - NUMBER and IP
Application Log -64.3.89.2 took 300 msGrok Pattern -
filter { grok { match => { "message" => "%{IP:client} took %{NUMBER:duration}" } } }Output -
{ "duration": "300", "client": "64.3.89.2" }
Example 2
Use of grok sematic - TIMESTAMP,LOGLEVEL,DATA and GREEDYDATA
Application Log -2020-03-11T17:23:34.000+00:00 WARNING [App.DataService]:Transaction failed for transaction id -4jsdf94jsdf29msdf92Grok Pattern -
filter { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log-level} \[%{DATA:issuer}\]:%{GREEDYDATA:message}" } } }Output -
{ "YEAR": "2020", "MONTHNUM": "03", "HOUR": [ "17", "00" ], "log-level": "WARNING", "MINUTE": [ "23", "00" ], "SECOND": "34.000", "message": "Transaction failed for transaction id -4jsdf94jsdf29msdf92", "ISO8601_TIMEZONE": "+00:00", "MONTHDAY": "11", "issuer": "App.DataService", "timestamp": "2020-03-11T17:23:34.000+00:00" }
Example 3
Grok fields are strings by default. Numeric fields (int and float) can be declared in the pattern
Application Log -Transaction id 567Grok Pattern -
filter { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} Transaction id %{USERNAME:transactionid:int}" } } }Output -
{"transactionid": 567}