Can't implement custom pattern inside a filter


(Darya Semenova) #1

Hello,
For some reason in my case logstash keeps not compling when I try to use a custom pattern. So I tried to implement a needed pattern as a field (the easier one now for testing, just a letter with a '-' in front of it), but it doesn't seem to work. Logstash compiles, but logs do not match.

grok {
    remove_tag => ["_grokparsefailure"]
    match => {
        "message" => ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: xCAT: Allowing %{GREEDYDATA:xCAT_comm_exec} (?<o_option> (\-[O-Oo-o])) %{GREEDYDATA:x_CAT_used_nodes}  for %{USERNAME:xcat_user} from %{SYSLOGHOST:xcat_user_hostname}"]
     }
    add_field => [ "received_at", "%{@timestamp}" ]
    add_field => [ "received_from", "%{host}" ]    }
}

Logs that are supposed to be parsed with that grok filter look like this:

May 11 12:14:42 head-testing xcat[12345]: xCAT: Allowing lsdef -t node -o n00p123,n01p123,n10p123,n01p123,ndfl-mic1,testnode1 for admin from localhost

(Magnus B├Ąck) #2

For some reason in my case logstash keeps not compling when I try to use a custom pattern.

What's the error message?

So I tried to implement a needed pattern as a field, but it doesn't seem to work.

I don't understand what "implement a pattern as a feild" means.


(Darya Semenova) #3

This part in the command:

(?<o_option> (\-[O-Oo-o])) 

This part is supposed to find -o in

May 11 12:14:42 head-testing xcat[12345]: xCAT: Allowing lsdef -t node -o n00p123,n01p123,n10p123,n01p123,ndfl-mic1,testnode1 for admin from localhost

#4

You're currently matching something like: [Space]-o (watch out for spaces!)

Try (?<o_option>\-[Oo]) instead
Always test your grok pattern before (here for exemple http://grokdebug.herokuapp.com/)
And when having a problem, use the rubydebug output codec to see any stacktrace


(Darya Semenova) #5

Ok, thank you very much for your help!


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.