```%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel}.*\[%{THREADNAME:thread}.*IdamAuthHandler.*\].* - \[carrier:%{GREEDYDATA:carrier}\]. *\[product:%{ANYDATA:product}\].*\[version:%{ANYDATA:version}].*\[call:%{ANYDATA:call}\].*\[external_id:%{ANYDATA:external_id}\].*\[account_id:%{GREEDYDATA:account_id}\].*\[x-mobitv-reqid:%{ANYDATA:reqId}\].*\[x-forwarded-for:%{ANYDATA:forwardedFor}\].*- request params are grant_type=*%{ANYDATA:grant_type}.*ext_assertion=*%{GREEDYDATA:_extassertion}.*ext_credential=*%{GREEDYDATA:billing_id}.* ```
it passes with the log line provided in online grok parser , but if I add it in .conf the the pipeline creation has error ":message=>"Could not execute action: PipelineAction::Create", whereas if I replace it with other default filter it works ingest the data
default filter:
"%{TIMESTAMP_ISO8601:event_timestamp}\s+%{LOGLEVEL:log_level}\s+[%{DATA:thread_name}:%{DATA:class_name}:%{DATA:method_name}]\s+%{GREEDYDATA:log_value}"
Also validated the .conf with logstash validation utility