GROK Failure

Elastic Stack Logstash
21 
Thank you , is the GROK pattern not stable? , the pattern was working before now is not working , did i do something wrong?

OUT:171.328.614.7\tErrorCode=00000\tOpStatus=00000\tExceptionReason=null\tJSON={\"op_gsn\":\"jcd.int.int.com\",\"op_status\":\"00000\",\"listOfDebitCardsDTO\":[{\"debitCardNumber\":4483850000013363}]}","logger_name":"ACTIVITY","thread_name":"WebContainer : 3","level":"INFO","level_value":20000,"HOSTNAME":"jcd.int.bgh.com","sessionId":"WBAhqWn467lUpaOdoFPdeO2","IP":"141.228.114.7","transactionID":"gatewayID","opcode":"opcode value","tags":null}


OUT:%{IP:out}\tErrorCode=%{BASE10NUM:errorCode}\tOpStatus=%{BASE10NUM:opStatus}\tExceptionReason=%{WORD:exceptionReason}\tJSON=%{GREEDYDATA:rest}
22

Do you have an actual tab in your test event or the literal text \t?

23

i have \t

24

\t in a grok indicates an actual tab, so that may then be what is wrong.

25

is there of removing \t or handling it?

26

I am not sure I understand. You need to make sure that what you have in the grok pattern matches your event.

27 
IN:222.222.222.222\t\t AccessAccount-******2456\t OPCODE-OP0984\t DeviceModel-null\t DeviceManufacturer-null\t DeviceId-1234864850035077224678hgfjkjhkgyh78da\t DeviceOsName-Android\t DeviceOsVersion-null\t App Version-null\t Channel-S Incoming Data: {\topCode=OP0984\tcom.ibm.websphere.servlet.uri_non_decoded=/gateway/service\tserVer=2.0\tserviceCode=OP1\tjavax.servlet.request.key_size=128\tprelogin=false\tjavax.servlet.request.cipher_suite=AES128-SHA\tmethodName=processTVM\tchannel=S}","logger_name":"ACTIVITY","thread_name":"WebContainer : 2","level":"DEBUG","level_value":10000,"HOSTNAME":"j8.in.dfg.com","sessionId":"kGYFxKdMLE7RRgAS_ErivV0","IP":"444.444.444.444","transactionID":"gatewayID","opcode":"opcode value","tags":null}

i tried this ,

IN:%{IP:in_ip}%{SPACE}%{SPACE}%{SPACE}%AccessAccount-%{DATA:accAcc}%{SPACE}%{GREEDYDATA:rest}
28

i managed to parse my event however the object incoming data , just found out is not json object but string
how do i extract data from string
is there a string filter?

Capture
Capture.PNG1744×837 59.6 KB

29 
Any feedback on the issue above?
i tried 

   kv {
                source => "IncomingData"
               value_split => "="
               field_split => "\t"
       }
30

Please assist
My original message is in Json, do i need to grok it before getting fields and data separated?

31

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.