I am testing custom grok patterns.
First with the following logstash config:
input {
stdin{}
}
filter {
grok {
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{GREEDYDATA:other}"}
}
}
output {
stdout {
codec => rubydebug
}
}
When I submit
May 8 06:47:27 aef46fa42c11[1036]: 29.22.234.151
The result is as expected
{
"@version" => "1",
"message" => "May 8 06:47:27 aef46fa42c11[1036]: 29.22.234.151",
"host" => "scw-8ccfeb",
"@timestamp" => 2018-05-08T04:52:55.115Z,
"time" => "May 8 06:47:27",
"other" => "aef46fa42c11[1036]: 29.22.234.151"
}
But when I try to include in the match the custom pattern, it doesn't work:
match => {"message" => "%{SYSLOGTIMESTAMP:time} (?<clientid>[a-z0-9]+\[[0-9]+\]) %{GREEDYDATA:other}"}
The same input gives grokparsefailure:
May 8 06:47:27 aef46fa42c11[1036]: 29.22.234.151
result:
{
"host" => "scw-8ccfeb",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
],
"message" => "May 8 06:47:27 aef46fa42c11[1036]: 29.22.234.151",
"@timestamp" => 2018-05-08T04:58:50.598Z
}
I have tested the regular expression (http://rubular.com/ as well as https://regex101.com/) and it looks good:
I doubt, the way I implemented it in match expression.
Any hint is appreciated.