Grok Filter does not work with a newLine

golauty · January 12, 2016, 8:27am

I have following event in Logstash:

"message": "[The variable 'number' was not bound while trying to expand attribute 'text' with value '$(value)'.]\n2016-01-12 08:30:09,983 [exec][TestCase] <Create a Product and open richtext editor [Error] [Warnings: 10] [Errors: 0] [Exceptions: 1]"

Now i want to filter this message with:

match => { "message[0]" => "(\[%{GREEDYDATA:ErrorMessage}\]\n+)?%{TIMESTAMP_ISO8601:incidentTime:date}\s+\[exec\]\[%{WORD:TestNode}\]\s*\<%{GREEDYDATA:test}\s*\[%{WORD:result}\]\s*\[Warnings: %{WORD:WarningCount}\](\s*\[Errors: %{WORD:ErrorCount}\]\s*\[Exceptions: %{WORD:ExceptionCount}\])?" }
And now i get a grokeparsefailure_ and i don´t understand why? Without the error Message everything works fine.

magnusbaeck · January 12, 2016, 9:07am

I think newline characters by default count as end-of-line, in which case prepending "(?m)" to the expression should help.

golauty · January 12, 2016, 9:49am

Where do I have to place that modifier, i placed it before the reg exp but that didn´t work ?

magnusbaeck · January 12, 2016, 10:11am

Hmm. In that case I don't know what's up.

golauty · January 12, 2016, 11:50am

Is there something i can do to further investigate my error, like an enhanced log message? Maybe it is a bug....