Thank you. Now the Log file say that my custom grok format pattern is not defined. On some hundred lines before I saw that the filter has been adding :
Any ideas why?
[2020-10-02T15:35:50,899][DEBUG][logstash.filters.grok ][main] Adding pattern {"TIMESTAMP_DOTNET_EU"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}"}
[2020-10-02T15:35:50,919][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<WORD:identifier>\b\w+\b)
[2020-10-02T15:35:50,920][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<WORD:sequence>\b\w+\b)
[2020-10-02T15:35:50,920][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<TIMESTAMP_DOTNET_EU:date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})
[2020-10-02T15:35:50,921][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?>\d\d){1,2})
[2020-10-02T15:35:50,922][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:0?[1-9]|1[0-2]))
[2020-10-02T15:35:50,922][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))
[2020-10-02T15:35:50,923][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]))
[2020-10-02T15:35:50,923][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:2[0123]|[01]?[0-9]))
[2020-10-02T15:35:50,924][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:[0-5][0-9]))
[2020-10-02T15:35:50,924][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))
[2020-10-02T15:35:50,924][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<LOGLEVEL:level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))
[2020-10-02T15:35:50,924][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<IPORHOST:client>(?:%{IP}|%{HOSTNAME}))
[2020-10-02T15:35:50,925][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?:%{IPV6}|%{IPV4}))
[2020-10-02T15:35:50,925][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)
[2020-10-02T15:35:50,925][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))
[2020-10-02T15:35:50,926][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
[2020-10-02T15:35:50,926][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<NOTSPACE:user>\S+)
[2020-10-02T15:35:50,927][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<NOTSPACE:method>\S+)
[2020-10-02T15:35:50,927][DEBUG][logstash.filters.grok ][main] replacement_pattern => (?<GREEDYDATA:message>.*)
[2020-10-02T15:35:50,934][DEBUG][logstash.filters.grok ][main] Grok compiled OK {:pattern=>"%{WORD:identifier}:%{WORD:sequence}\\t%{TIMESTAMP_DOTNET_EU:date}\\t%{LOGLEVEL:level}\\t%{IPORHOST:client}\\t%{NOTSPACE:user}\\t%{NOTSPACE:method}\\t%{GREEDYDATA:message}", :expanded_pattern=>"(?<WORD:identifier>\\b\\w+\\b):(?<WORD:sequence>\\b\\w+\\b)\\t(?<TIMESTAMP_DOTNET_EU:date>(?:(?>\\d\\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])) (?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])))\\t(?<LOGLEVEL:level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))\\t(?<IPORHOST:client>(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))))\\t(?<NOTSPACE:user>\\S+)\\t(?<NOTSPACE:method>\\S+)\\t(?<GREEDYDATA:message>.*)"}
[2020-10-02T15:35:50,974][DEBUG][logstash.filters.grok ][main] Grok patterns path {:paths=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns", "/usr/share/logstash/patterns/*"]}
[2020-10-02T15:35:50,976][DEBUG][logstash.filters.grok ][main] Grok patterns path {:paths=>[]}
[2020-10-02T15:35:50,982][DEBUG][logstash.filters.grok ][main] Match data {:match=>{"message"=>"%{WORD:identifier}:%{WORD:sequence}\\t%{TIMESTAMP_DOTNET_EU:date}\\t%{LOGLEVEL:level}\\t%{IPORHOST:client}\\t%{NOTSPACE:user}\\t%{NOTSPACE:method}\\t%{GREEDYDATA:message}"}}
[2020-10-02T15:35:50,983][DEBUG][logstash.filters.grok ][main] regexp: /message {:pattern=>"%{WORD:identifier}:%{WORD:sequence}\\t%{TIMESTAMP_DOTNET_EU:date}\\t%{LOGLEVEL:level}\\t%{IPORHOST:client}\\t%{NOTSPACE:user}\\t%{NOTSPACE:method}\\t%{GREEDYDATA:message}"}
[2020-10-02T15:35:51,096][DEBUG][logstash.javapipeline ][main] Pipeline terminated by worker error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{TIMESTAMP_DOTNET_EU:date} not defined>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:123:in `block in compile'", "org/jruby/RubyKernel.java:1442:in `loop'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:93:in `compile'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.3.0/lib/logstash/filters/grok.rb:288:in `block in register'", "org/jruby/RubyArray.java:1809:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.3.0/lib/logstash/filters/grok.rb:282:in `block in register'", "org/jruby/RubyHash.java:1415:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.3.0/lib/logstash/filters/grok.rb:277:in `register'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:226:in `block in register_plugins'", "org/jruby/RubyArray.java:1809:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:225:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:560:in `maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:238:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:183:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134:in `block in start'"], "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf", "/usr/share/logstash/pipeline/logstash.conf.save"], :thread=>"#<Thread:0x50af2ffd run>"}