Grok issues

I am trying to extract a substring from a file's path. The path is:

"/home/kate/logs/phone/messages"

I need to get the "phone" part. In my logstash conf file I am trying to use grok to extract this substring.
I checked the pattern in the grok debugger and it is able to extract "phone":
/home/kate/logs/%{GREEDYDATA:device}/
But when I add the grok filter in my conf file:

    filter {
    grok {
      match => { "path" => "/home/kate/phone/%{GREEDYDATA:device}/" }
    }
}

I received [1] "_grokparsefailure" ....
Very confused. I am thinking something wrong with the syntax, but honestly can't think of anything. Any thoughts?

What does your event look like? Do you have a field named path when you run the grok?

{
           "log" => {
        "offset" => 0,
          "file" => {
            "path" => "/home/kate/logs/phone/messages1"
        }
    },
      "@version" => "1",
           "ecs" => {
        "version" => "1.1.0"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ],
         "input" => {
        "type" => "log"
    },
         "agent" => {
                  "id" => "3cce9ee7-2f9f-4bb4-9b1c-25be78676753",
        "ephemeral_id" => "aab44b68-d28b-4800-a2e2-a58694bdc6e4",
             "version" => "7.5.0",
                "type" => "filebeat",
            "hostname" => "kate-VirtualBox"
    },
    "@timestamp" => 2019-12-23T07:05:40.549Z,
          "host" => {
        "name" => "kate-VirtualBox"
    },
       "message" => "Hello World!"
}

Is grok somehow not able to access the path?...

The path is not directly under root, so you need to specify match => { "[file][path]" => "/home/kate/phone/%{GREEDYDATA:device}/" }

Huh, I did not think of that! But "[file][path]" still throws grokparsefailure....

It works with [log][file][path]!
Thank you so much for your help, I wouldn't have thought of this

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.