Grok Filter with alternative

golauty · January 11, 2016, 9:53am

Hi,

i have following GrokFilter extract:

[%{WORD:result}]\s+[Warnings: %{WORD:WarningCount}]|[%{WORD:result}]\s*[Warnings: %{WORD:WarningCount}]\s*[Errors: %{WORD:ErrorCount}]\s*[Exceptions: %{WORD:ExceptionCount}]

For following Log Message:

[Error] [Warnings: 7] [Errors: 0] [Exceptions: 1]
[OK] [Warnings: 7]

But now logstash does not recongnize the fields ErrorCount and ExceptionCount? Why is that so? What can i do?
Other data fields are recognized like WarningCount and result ...

magnusbaeck · January 11, 2016, 11:49am

I'm assuming you have backslashes before the square brackets, i.e. \[Warnings: ...\]? Next time make sure you format your regular expressions as code to avoid having e.g. backslashes stripped.

The problem could be that you don't have any parentheses to limit the effects of |. You probably want something like this:

\[%{WORD:result}]\s+(\[Warnings: ...\]|...)

But instead of listing all alternatives I'd actually prefer this:

\[%{WORD:result}]\s+ \[Warnings: ...\]( \[Errors: ...\])?( \[Exceptions: ...\])?

golauty · January 12, 2016, 5:50am

Thank you very much that helped.

Topic		Replies	Views
"_grokparsefailure" Logstash	5	5237	July 6, 2017
Parsing plain text with Logstash filter Logstash	6	3905	July 13, 2017
Error : "tags" => [ [0] "_grokparsefailure" ]..Grok filter error Logstash	22	2548	September 18, 2019
Problem with coding Grok filter Logstash	5	1014	July 5, 2017
Logstash Filters Logstash	8	736	July 6, 2017

Grok Filter with alternative

Related topics