Hi. I have the following logstash configuration:
filter {
if "platform1" in [tags] {
grok {
match => {
"message" => ['%{TIMESTAMP_ISO8601:timestamp}? ?\[?L?:? ?%{LOGLEVEL:logLevel}?\]? ?\[?O?:? ?(%{USERNAME:O}|%{NUMBER:O})?\]? ?\[?I?:? ?(%{USERNAME:I}|%{NUMBER:I})?\]? ?\[?U?:? ?(%{EMAILADDRESS:U}|%{NUMBER:U})?\]? ?\[?S?:? ?(%{USERNAME:S}|%{NUMBER:S})?\]? ?\[?P?:? ?(%{USERNAME:P}|%{NUMBER:P})?\]? ?\[?T?:? ?(%{USERNAME:T}|%{NUMBER:T})?\]? ?%{GREEDYDATA:logMessage}']
}
}
} else if "blob_logs" in [fields][logType] {
grok {
match => {
"message" => ['#?%{WORD}?:?%{TIMESTAMP_ISO8601:timestamp}? ?#?%{WORD}?:?%{WORD:timezone}? ?#?%{WORD}?:?%{LOGLEVEL:logLevel}? ?#?%{WORD}?:?%{HOSTNAME:host}? ?#?%{WORD}?:?%{IP:ip}? ?#?%{WORD}?:?%{NUMBER:transaction_id}? ?#?%{WORD}?:?%{NUMBER:request_id}? ?#?%{WORD}?:?%{NUMBER:ownservice_id}? ?#?%{WORD}?:?%{NUMBER:destservice_id}? ?#?%{WORD}?:?%{WORD:type}? ?#?%{WORD}?:?%{USERNAME:class}? ?#?%{GREEDYDATA:message}']
}
}
} else {
grok {
match => { "message" => ['%{LOGLEVEL:logLevel}%{GREEDYDATA:logMessage}'] }
}
}
}
And I'm trying to parse smth like this:
#Date:2023-03-30 14:27:03.818#TimeZone:UTC#Severity:INFO #Host:#IP:#TransactionID:#RequestID:#OwnServiceID:#DestServiceID:#Type:#Class:com..azure.controller.BlobController 169#Method:uploadBlob#Message:file instance created
In grok debugger everything is going well, but in kibana I see just unparsed message. There is no _grokparsefailure tag.
What I'm doing wrong? Thanks