Here is my example log
<134>May 24 17:15:52 asdsgag.com 1,yyyy/mm/dd 17:15:52,001801056715,TRAFFIC,end,1,yyyy/mm/dd 17:15:52,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,0.0.0.0,0.0.0.0,TEST,,,incomplete,local1,wifi,office,cd5.32,rt5.11,asdsgag,2021/05/24 17:15:52,278516,1,54685,9165,0,0,0x19,tcp,allow,66,66,0,1,2021/05/18 15:05:43,0,any,0,187895353,0x8000005240000000,0.0.0.0-0.255.255.255,0.0.0.0-0.255.255.255,0,1,0,aged-out,13,0,0,0,,FW,from-policy,,,0,,0,,N/A,0,0,0,0
<[0-9]+>%{MONTH} %{MONTHDAY} %{TIME} %{DATA:url},%{DATA:datetime},[0-9]+,%{DATA:type},%{GREEDYDATA:event}
<[0-9]+>%{MONTH} %{MONTHDAY} %{TIME} %{DATA:url},%{DATA:datetime},[0-9]+,(?<type>[A-Z]+),%{GREEDYDATA:event}
this one make my log gone no error no grokparsefailure
<[0-9]+>%{MONTH} %{MONTHDAY} %{TIME} %{DATA:url},%{DATA:datetime},[0-9]+,%{GREEDYDATA:event}
this one work properly
but I want to split my log to get more field. I try to check what happen and end here where my log is gone, but no idea how to check or trace the error. Dont have any info in /var/log/logstash/logstash-plain.log
also try add stdout { codec => rubydebug } to out put stil dont get any return in journalctl -fu
logstash
Any idea?