Grok Parse Failure - CSV input via Filebeat

phoenix66 · October 23, 2018, 5:43pm

Hi all,

I am having a problem with a Grok filter failing to parse, despite it working fine in the Kibana Grok debugger.

Here is an example message (CSV into Filebeat to Logstash)

{
       "message" => "\"46642378\",\"Information\",\"2017-09- 15\",\"10:37:52\",\"RVP\\administrator\",\"192.168.0.43\",\"rvpl- 43\",\"RVPL-02- Backups/BFWTestFileRights.tmp\",\"SAMBA\",\"Delete\"",
        "offset" => 434039,
    "prospector" => {
        "type" => "log"
    },
        "source" => "/mnt/nfs/accesslogs/20170915-3.csv",
    "@timestamp" => 2018-10-23T16:58:25.946Z,
          "host" => {
        "name" => "elk01.rvp.local"
    },
         "input" => {
        "type" => "log"
    },
      "@version" => "1",
          "beat" => {
         "version" => "6.4.2",
        "hostname" => "elk01.rvp.local",
            "name" => "elk01.rvp.local"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ]
}

And here is the filter I am applying:

filter {
    grok {
            match => { "message" => "\\"%{INT:Message_ID}\\",\\"%{WORD:Severity}\\",\\"%{YEAR:Year}-%{MONTHNUM:Month}-%{MONTHDAY:Day}\\",\\"%{TIME:Time}\\",\\"%{WORD:Domain}\\\\%{WORD:User}\\",\\"%{IPV4:Client_IP}\\",\\"%{HOSTNAME:Hostname}\\",\\"%{GREEDYDATA:File}\\",\\"%{WORD:Protocol}\\",\\"%{WORD:Action}\\""
                            }
        }
}

Does anyone have any tips on how to debug this sort of thing?

Thanks

phoenix66 · October 23, 2018, 11:20pm

I figured it out. It seems that slashes "\" are handled differently in logstash to in the kibana debugger.

Thanks,

balumurari1 · October 25, 2018, 7:24am

to load csv from logstash,

system · November 22, 2018, 7:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.