Assistance with grok filter

Elastic Stack Logstash
1

So my grok is working great, but my index is not creating new fields as I would expect (new field as in 'entryDateTime', 'user', and 'event').

First off, here is the data in my log file:

2016-03-09T16:22:39-06:00|dpich|Logged In 2016-03-09T16:22:42-06:00|dpich|Logged Out 2016-03-09T16:22:45-06:00|dpich|Logged In 2016-03-09T16:25:14-06:00|snorheim|Logged In 2016-03-09T16:25:59-06:00|lguck|Logged In 2016-03-09T16:26:29-06:00|wjensen|Logged In 2016-03-09T16:29:27-06:00|jbarnard|Logged In

It is getting into ELK/ES just fine. However it is not creating a new field.

Here is my filter:

'      else if [logFormat] == "masterauthlog" { # Master Authentication Logs
        grok {
          match => ["message","%{TIMESTAMP_ISO8601:entryDateTime}\|%{WORD:user}\|%{GREEDYDATA:event}"]
        }
      }'

I for the life of me can't figure out why it's not creating new fields for this delimited data.

2

When I kick it to a plain file, this is how it looks:

{"message":"2016-03-09T16:53:12-06:00|dpich|Logged Out","@version":"1","@timestamp":"2016-03-09T22:53:18.116Z","file":"/var/log/apache2/master_auth.log","host":"primaryweb-wheezy","offset":"4330","logType":"masterauthlog"} {"message":"2016-03-09T16:53:10-06:00|dpich|Logged In","@version":"1","@timestamp":"2016-03-09T22:53:18.052Z","file":"/var/log/apache2/master_auth.log","host":"primaryweb-wheezy","offset":"4288","logType":"masterauthlog"} {"message":"2016-03-09T16:53:15-06:00|dpich|Logged In","@version":"1","@timestamp":"2016-03-09T22:53:18.267Z","file":"/var/log/apache2/master_auth.log","host":"primaryweb-wheezy","offset":"4373","logType":"masterauthlog"} {"message":"2016-03-09T16:53:22-06:00|dpich|Logged In","@version":"1","@timestamp":"2016-03-09T22:53:25.709Z","file":"/var/log/apache2/master_auth.log","host":"primaryweb-wheezy","offset":"4458","logType":"masterauthlog"}

3

Your configuration says logFormat but the field is actually called logType.

4

That did the trick!

Thanks magnusbaeck!