Application of grok pattern to the actual YAML

This is related to topic Capturing all messages in a log.

I was able to parse the messages inside the log with ([%{QS:user_msg1},)(?:|%{QS:user_msg2},)(?:|%{QS:user_msg3},).....(?:|%{QS:user_msg10}]),"%{NOTSPACE}"

The grok debugger is accepting the grok pattern.

However, when I applied it to YAML:
'grok {
match => { "message" => ([%{QS:user_msg1},)(?:|%{QS:user_msg2},)(?:|%{QS:user_msg3},).....(?:|%{QS:user_msg10}]),"%{NOTSPACE}"}
}'

I'm getting error: '"Expected one of #, ", ', -, [, { grok { match => { "message" => ([%{QS:user_msg1},)(?:|%{QS:user_msg2},)(?:|%{QS:user_msg3},).....(?:|%{QS:user_msg10}]),"%{NOTSPACE}"} }".'

I checked and doubled check that all {, [ and ( are matching.

I tried all the symbols suggested in the error message but I still got the same result.
Would anybody have a clue what I'm missing here?

Appreciate any information.

Thank you.

Put single quotes around your grok pattern

I already tried using #, ", ', -, [ but still same.
Maybe i'm doing it wrong.
Should it be like this?

grok {
match => { "message" => '([%{QS:user_msg1},)(?:|%{QS:user_msg2},)(?:|%{QS:user_msg3},).....(?:|%{QS:user_msg10}])',"%{NOTSPACE}"}
}

Hi Jenni,

I tried putting the single quote in the different places and now it's working.

Thanks so much.

grok {
match => { "message" => '([%{QS:user_msg1},)(?:|%{QS:user_msg2},)(?:|%{QS:user_msg3},).....(?:|%{QS:user_msg10}]),"%{NOTSPACE}"'}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.