0

I am trying to parse below log using grok 

 [2018-10-06 12:04:03:0227] [MYMACHINENAME]

and the grok expression which I used is

/[%{DATESTAMP:date}/] /[%{WORD:data}%/]

and this expression is not working. I tried to replace WORD with hostname even then it not working and if I try to either of the matchers alone then it works. Can anyone provide me the better tutorial pages to learn grok expressions?

Improve this question
0

2 Answers 2

Reset to default
1

There are few errors in your pattern. First off, you escape character using backslash / not forward slash \. Second, you don't need % to match ] in the end. Third, DATESTAMP doesn't match your date pattern, you need TIMESTAMP_ISO8601.

Your final pattern should become,

\[%{TIMESTAMP_ISO8601}\] \[%{WORD}\]
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you..How would i get to know to which date pattern it matches?
0

Regex pattern DATESTAMP is not correct for your string. Try using TIMESTAMP_ISO8601.

Here you can see all grok regex patterns: grok-patterns.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.