Dissector mapping, pattern not found in Logstash

Elastic Stack Logstash
1

Hi Team,

I am getting Dissector mapping, pattern not found in Logstash while start logstash.

2

What does your dissect filter configuration look like? What does the field you are dissecting look like if you use

output { stdout { codec => rubydebug } }
3

Hi @Badger,

Thanks for your reply.
Please find the below pattern, Earlier it was working fine . When I have added new fields" RequestType". It starts giving an error.

dissect
{
mapping => {"message"=>'%{DATETIME}| %{LOGLEVEL} |%{LOGSOURCE} |%{Id} %{Name} |%{JobId} |%{Type}|
%{RequestType} |%{LOGMESSAGE}' }
}

4

Please show an example of the [message] field.

5

Hi @Badger ,

Please find the  below message, which we are trying to filter in logstash:`
`2021-01-19 08:54:37.8399|DEBUG|BulkUpdate|46497||1514||||Entering in JobTask:1514 to the Job Status:3 for the Id:46497.`
`2021-01-18:54:37.9185|DEBUG|BulkUpdate|46497|Name|1514|Multimedia|
Activate|100052270|Taking Lock Object on the ID while doing the Bulk Activate:1000052270.
`
Please find the  logstash config file below:
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}
filter {
   mutate {
			add_field => { "[@metadata][index]" => "%{[fields][type]}" }
		 }    	
  if [@metadata][index] == "log"{ 
dissect { mapping => { "message"=> '%{DATETIME} |%{LOGLEVEL} |%{LOGSOURCE} |%{Id} |%{Name} |%{JobId} |%{ObjectType} 
|%{RequestType}|%{ContentId} |%{LOGMESSAGE}' } }
		}
	else
	{
			dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{LOGMESSAGE}" } }
	}	
	}
output {
 
	elasticsearch {

		hosts => ["https://x.x.x.x:9200"]	
		user => "elastic"
		password => "xxxxxxx"
		index => "%{[@metadata][index]}-%{+YYYY.MM.dd}"
		ssl => true		
		cacert => "C:\Logstash\logstash-7.7.1\config\ca_logstash.cer"
		ssl_certificate_verification => false
		manage_template => false
     
    }
	
	}

Below are the error which we are getting from logstash:
[2021-01-19T06:17:55,405][WARN ][org.logstash.dissect.Dissector][main][e403b63e1abf9a7775c97a93d177eeea4cd151e974911b37e5599183d6f6dfd0] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{DATETIME} |%{LOGLEVEL} |%{LOGSOURCE} |%{Id} |%{Name} |%{JobId} |%{ObjectType} \r\n|%{RequestType}|%{ContentId} |%{LOGMESSAGE}", "
6

If you have a dissect pattern like %{DATETIME} | with a space before the pipe, then the message field must also have a space before the pipe, and your events do not have that. Try

    dissect { mapping => { "message"=> '%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{RequestType}|%{ContentId}|%{LOGMESSAGE}' } }
7

Hi @Badger,
I am using the above pattern, but still I am getting the same error
[2021-01-20T04:50:43,232][WARN ][org.logstash.dissect.Dissector][main][fbd05f1f288405b7f74052f29a87e8f57e7878c7621ba1b97ec752e58c8b1053] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{RequestType}|%{ContentId}|%{LOGMESSAGE}",

Please find my observation below:
If I am using below pattern its working fine.
dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{LOGMESSAGE}" } }

If I am using below Pattern after adding "ContentId" field its not working & giving me the above error
dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{ContentId}|%{LOGMESSAGE}" } }

8

Its Resolved.

Thanks @Badger, for your help.Its log message fields mistake .

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.