github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-08-07 21:31:21 -04:00
Code Issues Projects Releases Packages Wiki Activity
Page: Testing your Grok patterns ( logstash 1.1.0 and above )
Pages
Cool links to help with Logstash and The Elk Stack Custom plugin tutorial using Remote REST service Errata Faq Home Logstash custom filter plugin for Atlassian Crowd Auth Log Part 1 Plugins Recipes Recipes:Encoding fallback Recipes:Logging from Puppet Testing your Grok patterns ( logstash 1.1.0 and above ) Tips Tips: Developing logstash on Windows Tips:Testing your filters irc.freenode.org
Testing your Grok patterns ( logstash 1.1.0 and above )
Manuel Hutter edited this page 2015-08-03 15:02:19 +02:00

Since grok was re-written in ruby, you can directly interact with grok objects from irb. In the following irb session, the environment is jruby-1.6.5 ( in 1.9 mode ) under rvm and jls-grok version 0.9.6.

You'll first need to install the gem with gem install jls-grok.

$ irb
require 'rubygems'
# => true
require 'grok-pure'
# => true
g = Grok.new
# => #<Grok:0x99176f @patterns={}, @logger=#<Cabin::Channel:0x1627c16 @data={}, @outputs=[#
 <Cabin::Outputs::StdlibLogger:0x666d83 @logger=#<Logger:0x9fd062 @logdev=#<Logger::LogDevice:0x29f93b 
  @shift_age=nil, @filename=nil, @dev=#<IO:0x1a998c7>, @mutex=#<Logger::LogDevice::LogDeviceMutex:0x16d4b50 
   @mon_count=0, @mon_mutex=#<Mutex:0x6b93c5>, @mon_owner=nil>, @shift_size=nil>, @formatter=nil, @progname=nil, 
   @default_formatter=#<Logger::Formatter:0xb28980 @datetime_format=nil>, @level=0>>], @level=:warn>>
g.add_pattern("foo", ".*") # pattern name, and the regex
# => nil
g.compile("%{foo}") # compile the named pattern
# => nil
str = "some string"
# => "some string"
g.match(str).captures # match str against pattern, and output the captures 
# => {"foo"=>["some string"]}
g.add_patterns_from_file("/home/alcy/downloads/logstash/patterns/grok-patterns")
# => nil
g.add_patterns_from_file("/home/alcy/downloads/logstash/patterns/linux-syslog")
# => nil
g.compile("%{SYSLOGLINE}")
# => nil
sample_syslog = "May 16 12:17:47 ub1104 ntpdate[704]: step time server 91.189.94.4 offset 0.003341 sec"
# => "May 16 12:17:47 ub1104 ntpdate[704]: step time server 91.189.94.4 offset 0.003341 sec"
g.match(sample_syslog).captures
# => {"SYSLOGLINE"=>["May 16 12:17:47 ub1104 ntpdate[704]: step time server 91.189.94.4 offset 0.003341 sec"], 
 "SYSLOGBASE2"=>["May 16 12:17:47 ub1104 ntpdate[704]:"], 
 "SYSLOGTIMESTAMP:timestamp"=>["May 16 12:17:47"], "MONTH"=>["May"], "MONTHDAY"=>["16", nil], 
 "TIME"=>["12:17:47"], "HOUR"=>["12", nil, nil], "MINUTE"=>["17", nil, nil], "SECOND"=>["47", nil], 
 "TIMESTAMP_ISO8601:timestamp8601"=>[nil], "YEAR"=>[nil], "MONTHNUM"=>[nil], "ISO8601_TIMEZONE"=>[nil], 
 "SYSLOGFACILITY"=>[nil], "POSINT:facility"=>[nil], "POSINT:priority"=>[nil], "SYSLOGHOST:logsource"=>["ub1104"], 
 "IPORHOST"=>["ub1104"], "HOSTNAME"=>["ub1104"], "IP"=>[nil], "SYSLOGPROG"=>["ntpdate[704]"], "PROG:program"=>["ntpdate"], 
 "POSINT:pid"=>["704"], "GREEDYDATA:message"=>["step time server 91.189.94.4 offset 0.003341 sec"]}

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed. :)