Grok - every fields is putted into message

rschirin · November 2, 2018, 5:37pm

hi all,
I'm sending messages from Filebeat to Logstash where I will used Grok to parse correctly and then send to Elastic.
The first step, from FB to LS works correctly.
unfortunately, when I try to apply Grok I got all the fields directly into message field.

here my logstash.conf:

input { 
	beats {
      		port => 5045
	}
}

filter {
 if [message] =~ "^#" {
  drop {}
 }
 grok {
        break_on_match => false
        match => [
            "message", ".*calling addr\=\\"%{IPV4:client}\/%{INT:client port}\\".*called_addr\=\\"%{IPV4:server}\/%{INT:server port}\\".*login\=\\"%{USERNAME:username}\\"",
			"message", ".*Connection Failure, reason :\s*%{GREEDYDATA:message}",
            "message", ".*CGate\s*%{GREEDYDATA:message}"
        ]
    }
}

output {
 if [CrifBeats] == "ft_audit"{
  elasticsearch { 		
   hosts => ["localhost:9200"]
   index => "ftaudit-%{+YYYY.MM.dd}"
  }
 }
}

using grok debugger at http://grokdebug.herokuapp.com/ it works correctly but when message is parsed in my LS I get everything into message field.
I was sure that grok should be able to create/add indicated fields.
I know that I'm doing something wrong but I cannot understand where.

Christian_Dahlqvist · November 4, 2018, 1:47pm

Does specifying the overwrite parameter help?

rschirin · November 5, 2018, 8:44pm

The issue was due to the used regex. Basically, it was not matched so new fields were not created

system · December 3, 2018, 8:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.