This is the message I am working with:
C:\Data\Projects\Demo\2019-03-06-14-35-07_check.log
In the grok debugger this was the pattern I checked and it worked.
%{PATH:dontwant}\\%{USERNAME:identifier}_%{GREEDYDATA:drop}
Output:
{
"drop": "check.log",
"identifier": "2019-03-06-14-35-07",
"dontwant": "C:\\Data\\Projects\\Demo"
}
Now I wanted to put this in my pipeline. But I am seeing errors.
For this:
{
"grok": {
"field": "FileName",
"patterns": ["%{PATH:dontwant}\\%{USERNAME:identifier}_%{GREEDYDATA:drop}"]
}
},
I get error:
{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "[patterns] Invalid regex pattern found in: [%{PATH:dontwant}\\%{USERNAME:identifier}_%{GREEDYDATA:drop}]. unmatched close parenthesis",
"header": {
"processor_type": "grok",
"property_name": "patterns"
}
}
],
"type": "parse_exception",
"reason": "[patterns] Invalid regex pattern found in: [%{PATH:dontwant}\\%{USERNAME:identifier}_%{GREEDYDATA:drop}]. unmatched close parenthesis",
"header": {
"processor_type": "grok",
"property_name": "patterns"
}
},
"status": 400
}
For this:
{
"grok": {
"field": "FileName",
"patterns": ["%{PATH:dontwant}\%{USERNAME:identifier}_%{GREEDYDATA:drop}"]
}
},
I get error:
{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "Failed to parse content to map"
}
],
"type": "parse_exception",
"reason": "Failed to parse content to map",
"caused_by": {
"type": "i_o_exception",
"reason": "Unrecognized character escape '%' (code 37)\n at [Source: org.elasticsearch.common.bytes.BytesReference$MarkSupportingStreamInputWrapper@1b5eba15; line: 33, column: 41]"
}
},
"status": 400
}
Any pointers on how I can make it work?