A grok pattern for Rails 3.2 logs for use with logstash. Assumes that you have a multiline filter to combine Rails logs into one line and only one worker is logging to a file (c.f. https://gist.github.com/mudge/5063930).

logstash.conf

  multiline {
    tags => ["rails"]
    pattern => "^Started"
    negate => true
    what => "previous"
  }

rails

RAILS3 (?m)Started %{WORD:verb} "%{URIPATHPARAM:request}" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{ISO8601_TIMEZONE:timezone})\s*Processing by (?<controller>[^#]+)#(?<action>\w+) as (?<format>\S+)(?:\n  Parameters: %{DATA:params}\n)?%{DATA}Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms \(Views: %{NUMBER:viewms}ms \| ActiveRecord: %{NUMBER:activerecordms}ms%{GREEDYDATA}

👍 Thanks.

@ese thanks, there is a typo in your comment RAILSPROFILE doesn't exist

can someone give more details into this...I have the ELK setup...I want to start with just basic rails log forwarded to the logstash server...which grok pattern should I use?

What files do you edit and add the filter to?

Here's a derivative version that I made, which uses Filebeat to combine multiline messages instead of Logstash (so LS groks the multiline message). Tested with :uuid enabled on Unicorn and Thin, with Rails 3.
https://gist.github.com/excalq/0c5023fce8af90089040daa6404525f2