Grok Parse Failure - CSV input via Filebeat

Hi all,

I am having a problem with a Grok filter failing to parse, despite it working fine in the Kibana Grok debugger.

Here is an example message (CSV into Filebeat to Logstash)

{
       "message" => "\"46642378\",\"Information\",\"2017-09- 15\",\"10:37:52\",\"RVP\\administrator\",\"192.168.0.43\",\"rvpl- 43\",\"RVPL-02- Backups/BFWTestFileRights.tmp\",\"SAMBA\",\"Delete\"",
        "offset" => 434039,
    "prospector" => {
        "type" => "log"
    },
        "source" => "/mnt/nfs/accesslogs/20170915-3.csv",
    "@timestamp" => 2018-10-23T16:58:25.946Z,
          "host" => {
        "name" => "elk01.rvp.local"
    },
         "input" => {
        "type" => "log"
    },
      "@version" => "1",
          "beat" => {
         "version" => "6.4.2",
        "hostname" => "elk01.rvp.local",
            "name" => "elk01.rvp.local"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ]
}

And here is the filter I am applying:

filter {
    grok {
            match => { "message" => "\\"%{INT:Message_ID}\\",\\"%{WORD:Severity}\\",\\"%{YEAR:Year}-%{MONTHNUM:Month}-%{MONTHDAY:Day}\\",\\"%{TIME:Time}\\",\\"%{WORD:Domain}\\\\%{WORD:User}\\",\\"%{IPV4:Client_IP}\\",\\"%{HOSTNAME:Hostname}\\",\\"%{GREEDYDATA:File}\\",\\"%{WORD:Protocol}\\",\\"%{WORD:Action}\\""
                            }
        }
}

Does anyone have any tips on how to debug this sort of thing?

Thanks

I figured it out. It seems that slashes "\" are handled differently in logstash to in the kibana debugger.

Thanks,

to load csv from logstash,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.