Getting Grok Parse failure error

Elastic Stack Logstash
1

Hi,

I am getting grok parse error for below input:

1999001529.000000[20291121 01:45:04.000000] Feature: dummy/2.1/subdummy/myevent Event: One or more users unavailable. Please grant the acess. Id: 1501 Type_Id: 1076969 Count_Event: 1 Aff.event: Info: MyTeamMember

And the pattern used for this to parse is:

filter {
date {
match => ["timestamp", "yyyyMMdd HH:mm:ss.000000"]
target => "@timestamp"
}
grok {
match => { "Event" => "%{NUMBER:TransationId}[%{@timestamp:Event_Timesta
mp}] Feature: %{URIPATH:Feature} Event: %{WORD:Event_Name} Id: %{NUMBER:Event_ID}
Type_ID: %{NUMBER:Type} Count_Event: %{NUMBER:Count} Aff.Event: Info: %{WORD:Info}"
}
}
}

Could anyone help me please for making the right pattern if I am missing something.

//Thanks in advance
Ankit S

2

Try to replace your Logstash configuration with this:

filter {
  grok {
    match => { "Event" => "%{NUMBER:TransactionId}\[%{DATA:Event_Timestamp}\] Feature: %{DATA:Feature} Event: %{DATA:Event_Name} Id: %{NUMBER:Event_ID} Type_Id: %{NUMBER:Type} Count_Event: %{NUMBER:Count} Aff\.event: Info: %{WORD:Info}"
  }
  date {
    match => ["Event_Timestamp", "yyyyMMdd HH:mm:ss.000000"]
    target => "@timestamp"
  }
}

Main changes:

  • Correction to grok pattern, there were various typos and mistakes in pattern usage
  • Moved date after grok to correctly parse Event_Timestamp

As a side note, whenever you are in doubt about Grok patterns, you can always debug using http://grokdebug.herokuapp.com/. I find it very useful!

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.