I am facing issue while using the Grok filter. Below is my filter which is working as expected while the class name do not have $
in it. When thread name is like PropertiesReader$ it is failing. What else can I use so it can parse class name with special characters ?
filter {
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %{LOGLEVEL:loglevel} %{WORD:threadName}:%{NUMBER:ThreadID} - %{GREEDYDATA:Line}" ]
}
json {
source => "Line"
}
mutate {
remove_field => [ "Line" ]
}
}
You are using WORD
as a pattern for your threadname
which does not contain special characters. To confirm this let's take a look at this pattern: WORD \b\w+\b
Use a custom pattern. Just describe it in a file like this:
MYPATTERN ([A-z]+\$?)
Then you can use it in your config like this:
grok {
patterns_dir => ["/path/to/pattern/dor"]
match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %LOGLEVEL:loglevel} %{MYPATTERN:threadName}:%{NUMBER:ThreadID} - %GREEDYDATA:Line}" ]
}
You'll find more information about custom patterns in the docs