Filebeat custom patterns

vladtepes · August 4, 2020, 7:45am

Greetings friends,

I am trying to make this approach work in ingest pipelines, but have stumbled upon a syntax error.
The grok pattern is valid from what I have tested:

When I try to use it in the ingest pipeline however it shows a bad string error. Have you guys tried it or maybe can spot the issue?

vladtepes · August 5, 2020, 1:28pm

I have also tested all patterns individually and the result is also positive.

The filter, as I can see finds the 'bad string' in the first part:
(?%{MONTHNUM}/%{MONTHDAY}/%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND}*?*)%{SPACE}%{PROG:sp_process} (%{BASE16NUM:sp_pid})
If I delete this, then there is no more bad string error.

Unfortunately my understanding of all the Grok nuances is still infantile. Can somebody maybe spot something not supported by the ingest pipeline?

system · September 2, 2020, 3:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PATTERN ERROR WHEN ADDING IN INGEST PIPELINE GROK PROCESSOR Kibana	1	359	February 15, 2022
Ingest pipeline created for filebeat log using grok pattern,but unable to run in dev tools Beats filebeat , ingest-pipeline	5	641	April 12, 2023
GROK Pattern syntax error, working in GROK debugger but not pipeline Elasticsearch ingest-pipeline	2	400	June 27, 2023
Filebeat mongo module, grok pattern is incorrect Beats	6	1472	August 7, 2018
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6118	June 15, 2017

Filebeat custom patterns

Related topics