Dissector mapping, pattern not found in Logstash

Hi Team,

I am getting Dissector mapping, pattern not found in Logstash while start logstash.

What does your dissect filter configuration look like? What does the field you are dissecting look like if you use

output { stdout { codec => rubydebug } }

Hi @Badger,

Thanks for your reply.
Please find the below pattern, Earlier it was working fine . When I have added new fields" RequestType". It starts giving an error.

mapping => {"message"=>'%{DATETIME}| %{LOGLEVEL} |%{LOGSOURCE} |%{Id} %{Name} |%{JobId} |%{Type}|
%{RequestType} |%{LOGMESSAGE}' }

Please show an example of the [message] field.

Hi @Badger ,

Please find the  below message, which we are trying to filter in logstash:`
`2021-01-19 08:54:37.8399|DEBUG|BulkUpdate|46497||1514||||Entering in JobTask:1514 to the Job Status:3 for the Id:46497.`
Activate|100052270|Taking Lock Object on the ID while doing the Bulk Activate:1000052270.
Please find the  logstash config file below:
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
filter {
   mutate {
			add_field => { "[@metadata][index]" => "%{[fields][type]}" }
  if [@metadata][index] == "log"{ 
dissect { mapping => { "message"=> '%{DATETIME} |%{LOGLEVEL} |%{LOGSOURCE} |%{Id} |%{Name} |%{JobId} |%{ObjectType} 
|%{RequestType}|%{ContentId} |%{LOGMESSAGE}' } }
			dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{LOGMESSAGE}" } }
output {
	elasticsearch {

		hosts => ["https://x.x.x.x:9200"]	
		user => "elastic"
		password => "xxxxxxx"
		index => "%{[@metadata][index]}-%{+YYYY.MM.dd}"
		ssl => true		
		cacert => "C:\Logstash\logstash-7.7.1\config\ca_logstash.cer"
		ssl_certificate_verification => false
		manage_template => false

Below are the error which we are getting from logstash:
[2021-01-19T06:17:55,405][WARN ][org.logstash.dissect.Dissector][main][e403b63e1abf9a7775c97a93d177eeea4cd151e974911b37e5599183d6f6dfd0] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{DATETIME} |%{LOGLEVEL} |%{LOGSOURCE} |%{Id} |%{Name} |%{JobId} |%{ObjectType} \r\n|%{RequestType}|%{ContentId} |%{LOGMESSAGE}", "

If you have a dissect pattern like %{DATETIME} | with a space before the pipe, then the message field must also have a space before the pipe, and your events do not have that. Try

    dissect { mapping => { "message"=> '%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{RequestType}|%{ContentId}|%{LOGMESSAGE}' } }

Hi @Badger,
I am using the above pattern, but still I am getting the same error
[2021-01-20T04:50:43,232][WARN ][org.logstash.dissect.Dissector][main][fbd05f1f288405b7f74052f29a87e8f57e7878c7621ba1b97ec752e58c8b1053] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{RequestType}|%{ContentId}|%{LOGMESSAGE}",

Please find my observation below:
If I am using below pattern its working fine.
dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{LOGMESSAGE}" } }

If I am using below Pattern after adding "ContentId" field its not working & giving me the above error
dissect { mapping => { "message" => "%{DATETIME}|%{LOGLEVEL}|%{LOGSOURCE}|%{Id}|%{Name}|%{JobId}|%{ObjectType}|%{ContentId}|%{LOGMESSAGE}" } }

Its Resolved.

Thanks @Badger, for your help.Its log message fields mistake .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.