logstashelastic-stacklogstash-grok

Grok filter for class name containing $


I am facing issue while using the Grok filter. Below is my filter which is working as expected while the class name do not have $ in it. When thread name is like PropertiesReader$ it is failing. What else can I use so it can parse class name with special characters ?

filter {
      grok {  
           match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %{LOGLEVEL:loglevel} %{WORD:threadName}:%{NUMBER:ThreadID} - %{GREEDYDATA:Line}" ] 
      }
      json {
           source => "Line" 
      }
      mutate { 
            remove_field => [ "Line" ]  
      }  
}

Solution

  • You are using WORD as a pattern for your threadname which does not contain special characters. To confirm this let's take a look at this pattern: WORD \b\w+\b

    Use a custom pattern. Just describe it in a file like this:

    MYPATTERN ([A-z]+\$?)
    

    Then you can use it in your config like this:

    grok {
        patterns_dir => ["/path/to/pattern/dor"]
        match => [ "message", "%{TIMESTAMP_ISO8601:LogDate} %LOGLEVEL:loglevel} %{MYPATTERN:threadName}:%{NUMBER:ThreadID} - %GREEDYDATA:Line}" ] 
         }
    

    You'll find more information about custom patterns in the docs