Grok Custom pattern file

Gabriel_Pellegrini_M · February 2, 2018, 6:19pm

Hi guys,

I'm starting in logstash's world and i'm having a problem to set more than one custom grok pattern into a "patern_dir"

I've created a file into my directory "/etc/logstash/pattern" with the follow information

#GROK CUSTOM PATTERNS INFORMATION CONTENTS
FILE_VERSION \w+\d{6}(?=_)
BU_ID \d{3}(?=\.)

I want to know if it needs some separator between both patterns.

thank for any help !

magnusbaeck · February 2, 2018, 6:20pm

A single newline character is the only separator you need. Your file looks fine.

Gabriel_Pellegrini_M · February 5, 2018, 12:40pm

I'm trying to take a part name of the following source path

path => /elasticsearch/logstash/example/example201610_007.csv"

this is in a input file.
i want to use the grok filter to set my custom patterns on the index name.

filter {
    grok{
             patterns_dir => ["/elasticsearch/logstash/example/patterns"]
             match =>{"file_version" => "%{FILE_VERSION:%{path}}" }
             match =>{"bu_id" => "%{BU_ID:%{path}}" }
         }
    }

But I'm not getting the expected result when the index is created.

Thanks for your help.

magnusbaeck · February 5, 2018, 1:39pm

         match =>{"file_version" => "%{FILE_VERSION:%{path}}" }
        match =>{"bu_id" => "%{BU_ID:%{path}}" }

What are you trying to do here?

Gabriel_Pellegrini_M · February 5, 2018, 1:56pm

I was trying to do the field path get the pattern syntax before.

But i think i've had a mistake.

i'll put here my config file for you to see.

input {
  file {
    path => "/elasticsearch/logstash/example/example201610_007.csv"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
filter {
  csv {
    separator => ";"
   columns => ["field1","field2","field3","field4"]
  }

  mutate {
    rename => { "field2" => "productId" }
    rename => { "field3" => "productComplementaryId" }
    rename => { "field4" => "productComplementaryName" }
  }
 
   grok{
    
    patterns_dir => ["/elasticsearch/logstash/example/patterns"]
    match =>{"%{path}" => "%{FILE_VERSION:file_version}" }
    match =>{"%{path}" => "%{BU_ID:bu_id}" }
    
  }

}
output {
    stdout { codec => rubydebug { metadata => true } }
    elasticsearch {
        index => "gabriel_%{file_version}"
        document_type => "complementary%{bu_id}"
        document_id => "%{productId}%{productComplementaryId}"
        hosts => "${LOGSTASH_ES_HOSTS}"
  
     }
}

I want to take a part of path field.

magnusbaeck · February 5, 2018, 2:21pm

What you probably want is something like this:

grok {
  match => {
    "path" => "/%{FILE_VERSION:version}_%{BU_ID:id}\.csv$"
  }
  patterns_dir => ["/elasticsearch/logstash/example/patterns"]
}

Gabriel_Pellegrini_M · February 5, 2018, 4:00pm

Thanks a lot , it was what i needed.

It works perfetly !

system · March 5, 2018, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom pattern problems in the grok filter Logstash	2	2542	July 6, 2017
Custom logstash grok filter's pattern Logstash	2	662	July 6, 2017
How to make a custom grok filter Logstash	12	3152	March 21, 2018
Issue with custom parsing in grok filter Logstash	3	320	May 8, 2019
Pattern Matching Logstash	8	1152	April 5, 2017

Grok Custom pattern file

Related topics