How to write grok expression for such log strings?

Akshay · October 22, 2024, 2:36pm

My app logs are as shown below:

[2024-10-21 08:30:02] uat.INFO: Creating fake logs for testing purposes {"hostname":"my-host-6f5blah599-9p9kb","ip":"190.168.19.251","performance":29.680236}

[2024-10-21 08:33:57] uat.INFO: Creating simple fake logs for testing purposes

I am trying to write a GROK expression like:

\[%{TIMESTAMP_ISO8601:log_timestamp}\] %{WORD:app_environment}.%{LOGLEVEL:log_level}: %{GREEDYDATA:message}[\s]?{%{GREEDYDATA:context}}

However it matches only the first line and not the second. How can I tweak it so that it can parse both the log lines?

pablo · October 22, 2024, 8:45pm

@Akshay Are you going to use it in Logstash?

Akshay · October 23, 2024, 1:37am

Nope. I want to use it in data-prepper.

pablo · October 25, 2024, 10:06pm

@Akshay Have you tried this approach?

processor:
  - grok:
        match:
          message: [<first pattern>]
  - grok:
        match:
          message: [<second pattern>]

system · December 24, 2024, 10:07pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline pattern not working as expected Open Source Elasticsearch and Kibana	1	606	February 7, 2023
Concat Captured Values Data Prepper	1	290	December 1, 2023
Concatenate different lines of logstash output into one line Open Source Elasticsearch and Kibana troubleshoot	5	670	May 7, 2023
Data prepper grok instantiation error Data Prepper troubleshoot , configure	1	185	April 20, 2024
Dataprepper read line with json and text Data Prepper	3	1366	October 10, 2023

How to write grok expression for such log strings?

Related topics