File Path Directory name extract Regex

Elastic Stack Logstash
1

Hi Everyone,

I need to extract directory name from the "path" field and assign it to "arcot" field. I require "arcot" value for filtering purpose. Below is the code i am using. path variable is storing "D:\Program Files (x86)\Arcot Systems1\logs\arcotriskfort.log" i am extracting "Arcot Systems1" into variable "arcot" and getting below error,

Please note: I am a beginner in ELK

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 18, column 17

input 
{
  file 
  {
    path => ["D:\Program Files (x86)\Arcot Systems1\logs\arcotriskfort.log"]
    start_position => "beginning"
  }
}
filter 
{
	grok
	{
		match => ["message","%{SYSLOGTIMESTAMP:timestamp} %{NUMBER:year} %{LOGLEVEL:level}%{GREEDYDATA}RT=%{NUMBER:RT},Q1T=%{NUMBER:Q1T},PT=%{NUMBER:PT},PPT=%{NUMBER:PPT},APT=%{NUMBER:APT},MT=%{NUMBER:MT},Q2T=%{NUMBER:Q2T},DT=%{NUMBER:DT}"]
		match => ["path","\\[^\\]+\\\\(?<arcot>[^\\]+)\\"]
	}
	mutate 
	{
		convert => { "DT" => "integer" }
		convert => { "Q1T" => "integer" }
		convert => { "APT" => "integer" }
		convert => { "RT" => "integer" }
	}
}
output 
{
	stdout { codec => rubydebug }
	elasticsearch 
	{
		#host => "localhost"
		#protocol => "http"
		#cluster => "elasticsearch"
		index => "newfrm"
		template => "D:\Program Files (x86)\abc.txt"
		template_name => "newfrm"
		template_overwrite => true
	}
}
2

The escaping is wrong, so it thinks there is no closing " in that pattern, and it blows up when it gets to "DT".

3

Thank you @Badger, its looking for an unclosed quote, So simply appending an extra quote is resolving the error, but pattern is not doing its job.
If its ok can you/anyone suggest correct pattern. I am stuck at this since a long time.

4

I will let someone else try to find a pattern that will grok. I would do this using dissect.

dissect { mapping => { "path" => "%{}\%{}\%{arcot}\%{}" } }
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.