Custom grok pattern failure with forwardslashes


(Prophoto) #1

About 1/400 log entries I'm feeding logstash will have a forwardslash "/" in it. How do I account for that and prevent a grok failure?


(Magnus Bäck) #2

That obviously depends on the data and the grok expression you use.


(Prophoto) #3

Field is being matched with %{DATA:incident_type}. Most are plain text, but some of the data has a forwardslash.

Examples:
THIS INCIDENT TYPE
THAT INCIDENT TYPE
ANOTHER INCIDENT TYPE
THIS/THAT INCIDENT TYPE <--doesn't match and throws grok failure.


(Magnus Bäck) #4

DATA matches forward slashes. What does the full grok expression and a complete line of input look like?


(Prophoto) #6

I found the problem, not related to slashes. Content was changed on the server side. I was using BASE10NUM for a field in the grok pattern the content now possibly includes characters and numbers. I switched it to DATA and all is well. Thanks!


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.