Don't know why _grokparsefailure

Miguel_Leite · November 26, 2018, 4:21pm

Hello,

I'm trying to parse this log format:

alarms_2gw:ddb_alr:Warn.GenProc-No:1306,Id:10462,TimeScada:26/11/1816:15:22,TimeSource:1543248887.0,Kidx:565141,state:1.000000,type:5,Hl0:LOCAL,Stat=0200H,AlrTyp=c2H,attr=10H

I have the following logstash grok config filter:

 grok {

       match => { "full_msg" => ["^%{DATA:al_prgm}:ddb_alr:%{DATA:al_lvl}\.GenProc-No:%{INT:al_no},Id:%{INT:al_id},TimeScada:%{MONTHDAY:day_scada}/%{MONTHNUM:month_scada}/{YEAR:year_scada}%{TIME:time_scada},TimeSource:%{DATA:time_source},Kidx:%{DATA:kidx},state:%{DATA:state},type:%{INT:type},Hl0:%{DATA:local},Stat=%{DATA:stat},AlrTyp=%{DATA:alr_typ},attr=%{DATA:attr}$"] }
       add_tag => ["alarm2gw"]
 }

Anyone knows why is failing on grok? Using the Grok Debugger I have full match with this parse type.

bigphil · November 27, 2018, 5:21am

Your TIME pattern is invalid. TIME requires hh:mm:ss. If you never have seconds then this will work:
^%{DATA:al_prgm}:ddb_alr:%{DATA:al_lvl}.GenProc-No:%{INT:al_no},Id:%{INT:al_id},TimeScada:%{MONTHDAY:day_scada}/%{MONTHNUM:month_scada}/%{YEAR:year_scada}:%{HOUR:hour_scada}:%{MINUTE:minute_scada},TimeSource:%{DATA:time_source},Kidx:%{DATA:kidx},state:%{DATA:state},type:%{INT:type},Hl0:%{DATA:local},Stat=%{DATA:stat},AlrTyp=%{DATA:alr_typ},attr=%{DATA:attr}$

system · December 25, 2018, 5:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.