1

I'm having issues with Pattern matching with Logstash.

Sample log pattern

[DEBUG] 2021-09-13T23:58:24.361 [http-nio-8080-exec-1] [FB-3D] localhost - [i.i.i.a.f.AuthFilter] :: doFilter :: formName B-3D

Grok Pattern that works

\s?\[%{DATA:loglevel}\] %{TIMESTAMP_ISO8601:logts} \[%{DATA:threadname}\] \[?%{DATA:formname}\] %{DATA:podname} %{DATA:filler1} \[%{DATA:classname}\] %{GREEDYDATA:fullmesg}

For the sample log mentioned above, the above grok pattern works fine. But I have some log files where the fourth field does not exist 'not even the empty []. I want to know how to handle the same.

Sample log (which is not working using the above pattern)

[DEBUG] 2021-09-13T23:58:22.633 [http-nio-8080-exec-1] localhost - [i.i.i.a.f.AuthFilter] :: Requested going to check the

In the above case, the fourth field [?%{DATA:formname}] does not exist. With the optional condition included in the above grok pattern for formname, it still does not work. It expects the presence of an empty [] field. Is there a way to make the 4th field optional?. I.e pattern to accomodate even if the field does not exist.

Any help on this is much appreciated. Thanks in Advance

vr3w3c9
  • 1,118
  • 8
  • 32
  • 57
  • 1
    Does this answer your question? [Logstash optional fields in logfile](https://stackoverflow.com/questions/30083719/logstash-optional-fields-in-logfile) – baudsp Sep 15 '21 at 08:21
  • 1
    Replace `\[?%{DATA:formname}\] ` with `(\[%{DATA:formname}\] )?` and it should work – baudsp Sep 15 '21 at 08:26

0 Answers0