Grok filter - space not working

August_rush · March 27, 2017, 2:27pm

Hi , I am trying to use grok filter on this log , There is a space after WARN I have tried using %s* \s* and also %{SPACE} but it is not triggering an email. can some one please help me.

[2017-03-25T00:00:07,137][WARN ]

input {
  file {
    path => "/var/log/logstash/sample"
    start_position => beginning
  }
}

filter {
  grok {
    match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\s*\]" }
  }
}
output {
  email {
        port => 25
        address => "mail.tck.com"
        authentication => "login"
        use_tls => true
        from => "alerts@logstash.com"
        subject => "logstash alert"
        to => "abc@tck.com"
        via => "smtp"
        body => "%{message}"
        debug => true
  }
}
~

~
I am using log stash 2.2.4

magnusbaeck · March 28, 2017, 3:13pm

Your grok filter doesn't affect whether an email is sent or not. If you're not getting an email that could be because

Logstash isn't reading any lines from the file,
the email output isn't working,
the email is getting held up somewhere outside of Logstash.

August_rush · March 27, 2017, 2:37pm

I tried to change the log file (without space after WARN) and it worked by sending an email.
[2017-03-25T00:00:07,137][WARN]
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\]" }

so thus, i think there is something wrong with my filter.
Does grok filter (\s*) work only for logstash versions 2.4 and above , i am using 2.2.4

magnusbaeck · March 27, 2017, 2:41pm

Does grok filter (\s*) work only for logstash versions 2.4 and above , i am using 2.2.4

No, that's standard regexp notation that works on any version of Logstash.

August_rush · March 27, 2017, 5:28pm

Thanks Magnus, yes it was some issue with the mail server.
Now its working.

system · April 24, 2017, 5:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.