Grok crash if line ending by backslash

djgreg13 · January 24, 2020, 2:25pm

Hello, i have a field pushed by a beat with this content

"D:\Logs\IIS\test.domain.com\20191219.log

So i write the following grok for extract test.domain.com

grok {
                match => {
                    "[log][file][path]" => [
                        "D:\\Logs\\IIS\\%{GREEDYDATA:application.name}\\"
                    ]
                }
            }

And grok crash with a parse failure, if i try this grok

grok {
                match => {
                    "[log][file][path]" => [
                        "D:\\Logs\\IIS\\%{GREEDYDATA:application.name}\\%{GREEDYDATA}"
                    ]
                }
            }

the output of application.name is : test.domain.com\20191219.log

so my final logstash grok is

grok {
                match => {
                    "[log][file][path]" => [
                        "D:\\Logs\\IIS\\%{GREEDYDATA:application.name}\\2%{GREEDYDATA}"
                    ]
                }
            }

and now it's OK application.name is test.domain.com

if i try on kibana grok debugger the first expression, the output is correct

So is it an issue of grok ?

Badger · January 24, 2020, 3:00pm

That could be this issue.

system · February 21, 2020, 3:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.