Grok on logstash not working, but working on grokdebugger

anjali · January 8, 2018, 1:13pm

Hello,
The following grok pattern is working on grokdebugger perfectly.

%{DATESTAMP:Timestamp} %{LOGLEVEL:LogLevel} [%{JAVACLASS:Class}] (%{GREEDYDATA:MessageID}) %{GREEDYDATA:Error}\n(?m)%{GREEDYDATA:JavaStackTrace}

This is precisely the response I want.

Now, when I run the same pattern in logstash, I get an incorrect output.

both are using a multiline pattern "^\s"

Can someone please tell me why?

This is my config file.

input {

beats {
type => "syserr"
port => "5044"
codec => multiline {
pattern => "^\s"
what => "previous"
}
}
}

filter {

if [type] =="syserr"{
    grok {
         
         match => ["message", "%{DATESTAMP:Timestamp} %{LOGLEVEL:LogLevel} \[%{JAVACLASS:Class}\] \(%{GREEDYDATA:MessageID}\) %{GREEDYDATA:Error}\n(?m)%{GREEDYDATA:JavaStackTrace}"]
         overwrite => [ "message" ]
        
         
         }

}

}

output {
elasticsearch {
hosts => [ "localhost:9200" ]
}

stdout {
    codec => "rubydebug"
}

}

indent preformatted text by 4 spaces

anjali · January 8, 2018, 1:21pm

I have negate => "true" in the grok debugger. But adding this statement to my logstash config causes a _grokparsefailure.

system · February 5, 2018, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.