I´m trying to setup an environment for grok debugging and made this with a docker.
Everything works fine, until logstash tries to resolve a custom pattern. Here is my environment
I start the docker with
docker run -it --name logstash_debug -v /home/cloud/docker-elk/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml -v /home/cloud/docker-elk/logstash/pipeline/:/usr/share/logstash/pipeline/ -v /home/cloud/docker-elk/logstash/patterns/:/usr/share/logstash/patterns docker.elastic.co/logstash/logstash:7.2.0
As I said, logstash starts up, loads the pipeline (debug.conf)
input { stdin {} } filter { grok { patterns_dir => ["/usr/share/logstash/patterns"] match => ["message", "%{YEAR1} [%{LOGLEVEL:loglvl}] %{GREEDYDATA:message}"] } date { match => ["customer_time", "${YEAR1}"] target => "@timestamp" }}
output { stdout { codec => rubydebug } }
and gives me this error:
Cannot evaluate
${YEAR1}. Replacement variableYEAR1is not defined in a Logstash secret store or as an Environment entry and there is no default value given.
the patterns_dir contains a file "dateformats" which contains (stripped it down to a minimum)
YEAR1 %{YEAR}
the logstash debug output gives me this:
[DEBUG][logstash.filters.grok ] config LogStash::Filters::Grok/@patterns_dir = ["/usr/share/logstash/patterns"]
[DEBUG][logstash.filters.grok ] config LogStash::Filters::Grok/@match = {"message"=>"%{YEAR1} [%{LOGLEVEL:loglvl}] %{GREEDYDATA:message}"} .....
[DEBUG][logstash.filters.grok ] config LogStash::Filters::Grok/@patterns_files_glob = "*"
Normally logstash should be able to graba this file (I even started the docker with --user 0 to be sure that I have no permission problem) but it somehow can´t
Anyone can me give a hint to what´s going on ?
Thanks and cheers,
Wurzelseppi
