File input Path variable

Elastic Stack Logstash
1

My logstash.conf file is using the file input as such:

file{
	path => "${PWD}/data/**/log.file"
	start_position => beginning
	ignore_older => 0
	sincedb_path => "${PWD}/software_files/logstash-5.6.1/logstash_use/null"
	type => "csv"
}

Where PWD is the working directory where the Windows script is being ran from. The directory where my file is located is:

D:\ELK\osi_ELK-5.6.1/data/cust/role/host/log/log.file

Now Logstash reads the file in as such:

D:\\ELK\\osi_ELK-5.6.1/data/cust/role/host/log/log.file

My question is why does Logstash add an extra \ within the variable PWD? I am using a grok to parse information from the path variable and the double \ causes the logs to get tagged with _grokparsefailure.

Thanks!

2

Exactly where are you seeing the double backslashes? Use copy/paste.

3

In the fails.txt where I put logs that get tagged with _grokparsefailure this is a log line.

"tags":["_grokparsefailure"],"path":"D:\\ELK\\osi_ELK-5.6.1/data/cust/role/host/log/log.file","datestamp":"17/09/22 12:00:41.295"

4

The path field doesn't contain double backslashes, it's just how JSON serialization works. Your grok expression fails for some other reason.

5

But when I create create a grok that only utilizes a single "\" it fails. But when I use one that is "\\" in those instances above it does not get tagged as grok parse failure.

6

Backslashes have a special meaning in regular expressions so they need to be escaped there as well.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.