Grok debugger works, on logstash not

psyskeletor · May 9, 2023, 12:38pm

Hi there.

Super new to logstash.
I wanted to extract exit code from logs, so i came with this solution using grok debugger

filter {
     grok {
         match => { "message" => "(?<exit_code>\b[exit code ]\d+ \b)" }
 
    }
}

but when running logstash locally with stdin with this line:

gitlab-runner-eks WARNING: Job failed: command terminated with exit code 1

it returns me this error:

gitlab-runner-eks WARNING: Job failed: command terminated with exit code 1
{
          "tags" => [
        [0] "_grokparsefailure"
    ],
      "@version" => "1",
       "message" => "gitlab-runner-eks WARNING: Job failed: command terminated with exit code 1",
          "host" => {
        "hostname" => "computer"
    },
         "event" => {
        "original" => "gitlab-runner-eks WARNING: Job failed: command terminated with exit code 1"
    },
    "@timestamp" => 2023-05-09T12:05:43.472221Z
}

Any ideas what i am doing wrong?

Badger · May 9, 2023, 7:43pm

I would sugggest

grok { match => { "message" => "exit code (?<exit_code>\d+)" } }

Edited to add ... or even

grok { match => { "message" => "exit code %{INT:exit_code}" } }

psyskeletor · May 10, 2023, 8:23am

Worked like a charm!

thanks a lot!

system · June 7, 2023, 8:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.