i trying setup elk java application. tomcat logs produced using log4j. write test pattern, using grok debugger. on debugger shows
compile error
my log sample:
yyyy-mm-dd hh:mm:ss,sss info : [so-me-uni-que-id] com.xx.xx.xx.xx.xx - log message here my grok filter:
filter { if [type] == "tomcat" { grok { match => { "message" => "%{tomcatlog}" } } date { match => [ "timestamp", "yyyy-mm-dd hh:mm:ss,sss" ] } } } my pattern:
tomcatlog %{tomcat_datestamp:timestamp} \| %{loglevel:level} \| %{uniqueid:uniqueid}\| %{javaclass:class} - %{javalogmessage:logmessage}
the basic issue pattern doesn't match input. @ beginning:
yyyy-mm-dd hh:mm:ss,sss info : [so-me-uni-que-id] %{tomcat_datestamp:timestamp} \| %{loglevel:level} \| %{uniqueid:uniqueid}\| your pattern has escaped pipes ("|"), input doesn't use them.
i don't see tomcat_datestamp in default patterns, maybe it's buried somewhere.
start @ left side, matching 1 piece @ time in debugger.
%{timestamp_iso8601} %{word:level} : \[%{greedydata:uniqueid}\] then keep working way across, grabbing more stuff pattern. note literals (":" , escaped "[") become part of pattern.
good luck!
Comments
Post a Comment