Grok expression works in debugger but fails when posted on the pipeline simulation api

Dovid · December 13, 2018, 9:17pm

Here is my simulate JSON

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "ASDF log pipeline",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "%{TIMESTAMP_ISO8601:@timestamp} %{LOGLEVEL:level} %{WORD:namespace} .*? %{GREEDYDATA:message}"
          ]
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "@timestamp": "2018-12-13T20:58:12.651Z",
        "@metadata": {
          "beat": "filebeat",
          "type": "doc",
          "version": "6.2.1"
        },
        "message": "2018-12-12 10:15:29,697 DEBUG ASDF - OnLoadingDelayChangedCallback: 1, 2",
        "source": "C:\\ASDF\\serverlogs\\testlog.log",
        "offset": 158,
        "prospector": {
          "type": "log"
        },
        "beat": {
          "name": "ASDF",
          "hostname": "ASDF",
          "version": "6.2.1"
        }
      }
    }
  ]
}

This returns me the following error
"java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2018-12-12 10:15:29,697 DEBUG WayPoints - OnLoadingDelayChangedCallback: 1, 2]"

I am struggling to understand as the grok appear to be valid when tested in the debugger

Christian_Dahlqvist · December 13, 2018, 9:39pm

You seem to have spaces before the colon in some of your pattern definitions. Can you try removing those?

Dovid · December 13, 2018, 9:47pm

I tried removing the spaces. The simulation still error.

Christian_Dahlqvist · December 13, 2018, 9:49pm

Strange, because this work for me:

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "ASDF log pipeline",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "%{TIMESTAMP_ISO8601:@timestamp} %{LOGLEVEL:level} %{WORD:namespace} .*? %{GREEDYDATA:message}"
          ]
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "@timestamp": "2018-12-13T20:58:12.651Z",
        "@metadata": {
          "beat": "filebeat",
          "type": "doc",
          "version": "6.2.1"
        },
        "message": "2018-12-12 10:15:29,697 DEBUG ASDF - OnLoadingDelayChangedCallback: 1, 2",
        "source": "C:\\ASDF\\serverlogs\\testlog.log",
        "offset": 158,
        "prospector": {
          "type": "log"
        },
        "beat": {
          "name": "ASDF",
          "hostname": "ASDF",
          "version": "6.2.1"
        }
      }
    }
  ]
}

Dovid · December 13, 2018, 9:53pm

It does not work here. I just started a major update from v5.6.9 to v6.5.3 ill let you know if this help.

system · January 10, 2019, 11:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6118	June 15, 2017
Elasticsearch grok processor error Elasticsearch	5	1148	March 28, 2018
Greedymultine works in simulation but fails when actually used Kibana ingest-pipeline	2	394	April 30, 2022
Provided Grok expressions do not match field value when the pattern field contains some regular expressions Beats filebeat	3	3521	May 31, 2018
Provided Grok expressions do not match field value Beats filebeat	1	285	August 31, 2020

Grok expression works in debugger but fails when posted on the pipeline simulation api

Related topics