elasticsearch - How can I write a grok pattern for this log?

Question

Log:

[2021-01-27T11:51:18,838][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"C:\Pippo\logstash-7.6.1\data\dead_letter_queue"}

question from:https://stackoverflow.com/questions/65934680/how-can-i-write-a-grok-pattern-for-this-log

Answer 1

I advice you to use grokdebug online tool that will be very usefull for this kind of use case. This is a first grok expression that match with a must part of your data line :

[%{TIMESTAMP_ISO8601:timestamp}][%{LOGLEVEL:level} ][%{GREEDYDATA:class}] %{GREEDYDATA:action} {:setting=>"%{GREEDYDATA:setting}", :path=>"%{PATH:path}"}

This expression it's a starting point to your use case. The result of this grok expression is this :

{
  "timestamp": [
    [
      "2021-01-27T11:51:18,838"
    ]
  ],
  "YEAR": [
    [
      "2021"
    ]
  ],
  "MONTHNUM": [
    [
      "01"
    ]
  ],
  "MONTHDAY": [
    [
      "27"
    ]
  ],
  "HOUR": [
    [
      "11",
      null
    ]
  ],
  "MINUTE": [
    [
      "51",
      null
    ]
  ],
  "SECOND": [
    [
      "18,838"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ],
  "level": [
    [
      "INFO"
    ]
  ],
  "class": [
    [
      "logstash.setting.writabledirectory"
    ]
  ],
  "action": [
    [
      "Creating directory"
    ]
  ],
  "setting": [
    [
      "path.dead_letter_queue"
    ]
  ],
  "path": [
    [
      "C:\Pippo\logstash-7.6.1\data\dead_letter_queue"
    ]
  ],
  "UNIXPATH": [
    [
      null
    ]
  ],
  "WINPATH": [
    [
      "C:\Pippo\logstash-7.6.1\data\dead_letter_queue"
    ]
  ]
}