Grok filter - space not working

Elastic Stack Logstash
1

Hi , I am trying to use grok filter on this log , There is a space after WARN I have tried using %s* \s* and also %{SPACE} but it is not triggering an email. can some one please help me.

[2017-03-25T00:00:07,137][WARN ]

input {
  file {
    path => "/var/log/logstash/sample"
    start_position => beginning
  }
}

filter {
  grok {
    match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\s*\]" }
  }
}
output {
  email {
        port => 25
        address => "mail.tck.com"
        authentication => "login"
        use_tls => true
        from => "alerts@logstash.com"
        subject => "logstash alert"
        to => "abc@tck.com"
        via => "smtp"
        body => "%{message}"
        debug => true
  }
}
~

~
I am using log stash 2.2.4

2

Your grok filter doesn't affect whether an email is sent or not. If you're not getting an email that could be because

  • Logstash isn't reading any lines from the file,
  • the email output isn't working,
  • the email is getting held up somewhere outside of Logstash.
3

I tried to change the log file (without space after WARN) and it worked by sending an email.
[2017-03-25T00:00:07,137][WARN]
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\]" }

so thus, i think there is something wrong with my filter.
Does grok filter (\s*) work only for logstash versions 2.4 and above , i am using 2.2.4
4

Does grok filter (\s*) work only for logstash versions 2.4 and above , i am using 2.2.4

No, that's standard regexp notation that works on any version of Logstash.

5

Thanks Magnus, yes it was some issue with the mail server.
Now its working.