3

I am using the following regexes:

INT (?:[+-]?(?:[0-9]+))
VALUE ([0-9]+)
SPACE \s*
DATA .*?
USERNAME [a-zA-Z0-9._-]+
YEAR (?>\d\d){1,2}
MONTHNUM (?:0?[1-9]|1[0-2])
MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5][0-9]|60))
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
TIMESTAMP %{YEAR:year}/%{MONTHNUM:monthnum}/%{MONTHDAY:monthday}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}.%{VALUE:_second}
MESSAGE %{DATA}ERR_SYSTEM%{DATA}
PARSE_ERROR %{TIMESTAMP:ts}%{SPACE}%{USERNAME:type1}%{SPACE}%{USERNAME:slave}%{SPACE}%{USERNAME:type2}%{SPACE}[%{USERNAME:fibre1}/USERNAME:fibre2]%{SPACE}%{MESSAGE:message}

Now I have to parse this line:

2013/05/13-05:19:16.776 INFO abcd1 gamereporting
[0000000000000000/00000000000000000000] [GameReportingSlaveImpl:0x30bf7699a010].processReport() : Error processing report for id=18014398509852207, type=frostbite_m, error=ERR_SYSTEM

I get the following after the parsing:

type1: INFO
slave : abcd1
type2: gamereportin

Now type 2 always misses the 'g'. Why is it happening?

Could somebody provide the correct regex for the above line?

Improve this question
1
  • I already have given what I have tried ..pls help\ Commented May 14, 2013 at 6:34

2 Answers 2

Reset to default
17

Are you using the Grok Debugger?

And where is your Grok pattern? I don't see it in your post.

I would use something similar to the following to start off. As you gave no insight as to how you'd like to save the data, you'll have to add that as you figure it out.

%{DATESTAMP}%{SPACE}%{LOGLEVEL}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}(?<some_id>\[\d+\/\d+\])

Use the Grok Debugger - it will save you a lot of time.

Update Dec 2022:

Please try this link for the Grok Debugger as it seems they have moved it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

You can use this grok pattern as example:

%{DATESTAMP:timestamp} %{LOGLEVEL:loglevel} %{WORD:slave} %{WORD:type2} \[%{GREEDYDATA:fibre1}\/%{GREEDYDATA:fibre2}\] \[%{WORD:class}\:%{WORD:pointer}\].%{WORD:method}\(\) \: %{GREEDYDATA:message}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.