Grok: filter options match not create new field

Ret · March 1, 2019, 1:01pm

Hi everyone !

I am collecting Windows Event Logs from winlogbeat with Logstash. And I have some problem grok filter.

I created custom pattren for find user account in event log ..... And the pattern working in Kibana Grok Debuger but grok filter not create new field.

Text wich need parsing

TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 3/1/2019 9:55:44 AM
Machine: ALMVMTEST2
Application Domain: /LM/W3SVC/2/ROOT/tfs-1-131956424397262984
Assembly: Microsoft.TeamFoundation.Framework.Server, Version=16.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v4.0.30319
Service Host: d162e475-ce02-44b3-b3c5-9da898c7efed (DefaultCollection)
Process Details:
Process Name: w3wp
Process Id: 4220
Thread Id: 5412
Account name: contoso\user

Grok pattern config file winevent.grok:

EVENT_ACCOUNT (?<=Account name: ).*(?<!\s)

logstah config

    input {
      beats {
        port => 5044
      }
    }

    filter {
        grok {
    	patterns_dir => "/etc/logstash/patterns"
    	match => { "message" => ["%{EVENT_ACCOUNT}: Account"] }

         }
    }


    output {
      stdout { 
    	codec => rubydebug
        }
     
      elasticsearch {
        hosts => ["http://localhost:9200"]
        index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        #user => "elastic"
        #password => "changeme"
      }
    }

Any thoughts why not working?
Thanks!

Badger · March 1, 2019, 1:54pm

Since account name is the last item in the message you can use

    grok { match => { message => "^Account name: (?<accountName>.*)" } }

If you wanted to extract a line from the middle of the message you could use a pattern that matches zero-or-more characters that are not newline followed by a newline.

    grok { match => { message => "^Process Name: (?<processName>[^
]*)
" } }

Ret · March 4, 2019, 7:12am

@Badger, thank you very much. This solved my problem.

Pattern that works for me:

grok { match => { message => "Process Name: (?<processName>[^\s]*)" } }

system · April 1, 2019, 7:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter confusion - Am I missing something? Logstash	9	4080	July 6, 2017
Grok timestamp (can't match pattern) Logstash	2	304	March 15, 2021
Can not add a new field using if filter and add_field Logstash	6	454	July 27, 2020
Not able to create separate fields all log data in message field Logstash	3	284	July 29, 2019
Cannot add new field from event type Logstash	3	612	November 14, 2019

Grok: filter options match not create new field

Related Topics