I am trying to extract a substring from a file's path. The path is:
"/home/kate/logs/phone/messages"
I need to get the "phone" part. In my logstash conf file I am trying to use grok to extract this substring.
I checked the pattern in the grok debugger and it is able to extract "phone":
/home/kate/logs/%{GREEDYDATA:device}/
But when I add the grok filter in my conf file:
filter {
grok {
match => { "path" => "/home/kate/phone/%{GREEDYDATA:device}/" }
}
}
I received [1] "_grokparsefailure" ....
Very confused. I am thinking something wrong with the syntax, but honestly can't think of anything. Any thoughts?
What does your event look like? Do you have a field named path when you run the grok?
{
"log" => {
"offset" => 0,
"file" => {
"path" => "/home/kate/logs/phone/messages1"
}
},
"@version" => "1",
"ecs" => {
"version" => "1.1.0"
},
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
],
"input" => {
"type" => "log"
},
"agent" => {
"id" => "3cce9ee7-2f9f-4bb4-9b1c-25be78676753",
"ephemeral_id" => "aab44b68-d28b-4800-a2e2-a58694bdc6e4",
"version" => "7.5.0",
"type" => "filebeat",
"hostname" => "kate-VirtualBox"
},
"@timestamp" => 2019-12-23T07:05:40.549Z,
"host" => {
"name" => "kate-VirtualBox"
},
"message" => "Hello World!"
}
Is grok somehow not able to access the path?...
The path is not directly under root, so you need to specify match => { "[file][path]" => "/home/kate/phone/%{GREEDYDATA:device}/" }
Huh, I did not think of that! But "[file][path]" still throws grokparsefailure....
It works with [log][file][path]!
Thank you so much for your help, I wouldn't have thought of this 