Incremental Construction of Grok Patterns You can provide a number of log file lines and step by step construct a grok pattern that matches all of these lines. In each step you select or input a pattern that matches the next logical segment of the log line. This can either be a fixed string (e.g. a separator), a (possibly named) pattern from the grok pattern library, or a pattern you explicitly specify. You can also apply a multiline filter first.In the form below, please enter some loglines for which you want to create a grok pattern, mark the pattern libraries you want to draw your patterns from and then press You can also just fill this with a random example. Some log lines you want to match. PLEASE NOTE: For the construction algorithms you should use SEVERAL LINES that should match the pattern, and choose lines that are as diverse as possible. That reduces the search space. The more, the better (within reasonable limits, of course). Please mark the libraries of grok Patterns from logstash v.2.4.0 which you want to use. You probably want to use grok-patterns if you use any of the others, since they rely on the basic patterns defined there. firewalls aws bro exim bind haproxy linux-syslog squid mcollective-patterns bacula postgresql java maven grok-patterns httpd redis nagios rails mongodb ruby mcollective junos You can also provide a library of some additional grok patterns in the same format as the pattern files linked above. On each line you give a pattern name, a space and the pattern. For example: WORD \b\w+\b If you want to use logstash's multiline filter please specify the used pattern (can include grok Patterns): negate the multiline regex