File input Path variable

My logstash.conf file is using the file input as such:

	path => "${PWD}/data/**/log.file"
	start_position => beginning
	ignore_older => 0
	sincedb_path => "${PWD}/software_files/logstash-5.6.1/logstash_use/null"
	type => "csv"

Where PWD is the working directory where the Windows script is being ran from. The directory where my file is located is:


Now Logstash reads the file in as such:


My question is why does Logstash add an extra \ within the variable PWD? I am using a grok to parse information from the path variable and the double \ causes the logs to get tagged with _grokparsefailure.


Exactly where are you seeing the double backslashes? Use copy/paste.

In the fails.txt where I put logs that get tagged with _grokparsefailure this is a log line.

"tags":["_grokparsefailure"],"path":"D:\\ELK\\osi_ELK-5.6.1/data/cust/role/host/log/log.file","datestamp":"17/09/22 12:00:41.295"

The path field doesn't contain double backslashes, it's just how JSON serialization works. Your grok expression fails for some other reason.

But when I create create a grok that only utilizes a single "\" it fails. But when I use one that is "\\" in those instances above it does not get tagged as grok parse failure.

Backslashes have a special meaning in regular expressions so they need to be escaped there as well.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.