Grok Debugger requires ":integer" but logstash document says to use ":int" for format. Is ":integer" valid in logstash?

rducharme · December 5, 2018, 5:24pm

I have a logstash configuration file with some mutates to map a matched pattern field to an integer.
// mutate {
// convert => {
// "pages" => "integer"
// "msec" => "integer"
// }
// }

The logstash document indicates I can use a format (:int) instead. However, when I try this in the grok debugger, specify a pattern as %{BASE10NUM:totalCount:int}, it does not detect a number field. If I change :int to :integer, it works fine. However the logstash documentation says to specify the format as ":int". Is this just a simple mismatch between the 2 tools or is ":integer" also valid for logstash?

When I do the match in logstash, it does seem to take the ":integer". However, I also have mutates in the configuration file to map the type to integer so not sure if it will really sending it as a number without the mutates.

Michel99_7 · December 6, 2018, 9:42am

Grok uses "int"
Convert function of "Mutate" plugin uses "integer"

rducharme · December 7, 2018, 4:36pm

Mutate operation is fine. However, the question is the difference between the grok_debugger and the grok pattern matching in logstash. If I specify int in the grok debugger, the number is not parsed. For 6.5.1 version of logstash (and some other versions), the :int in the pattern also does not seem to make it a number. I need to use the mutate to make it an integer.

system · January 4, 2019, 4:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.