Hello,
I'm using custom grok pattern to extract file extension from field called message
Here's the configuration snippet:
filter {
grok {
match => {
"message" => "(?<file_ext>(\.[^.\\/:*?"<>|\r\n]+$))"
}
}}
Here's message field content sample:
asdasdas.txt asdsadsa asdsa.pdf
Here's Grok Debugger screenshot:
And here's the error message:
[ERROR] 2019-09-26 16:01:21.865 [Converge PipelineAction::Reload] agent - Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Expected one of #, {, } at line 39, column 43 (byte 698) after filter {\r\n\tgrok {\r\n\t\tmatch => {\r\n\t\t\t"message" => "(?<file_ext>(\.[^.\\/:*?"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:37:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}
Any clues what might be the cause for this error? I'm surprised since Debugger shows a positive result.