Yeah that may be the case, i have also able to parse without any _grokparsefailure with the following grok.
filter {
grok {
match => { "message" => '\[%{TIMESTAMP_ISO8601:timestamp}\] %{HTTPDUSER:EVENTUSER} %{WORD:EVENT} \[%{NUMBER:ID}:%{GREEDYDATA:STATE}\] %{GREEDYDATA:project} %{HTTPDUSER:USER}/ %{HTTPDUSER:abortedby} "%{GREEDYDATA:PATH}/%{GREEDYDATA:jobName}"\[%{GREEDYDATA:uuid}\]' }
}
}
The problem was with the spacing at this %{HTTPDUSER:abortedby}. This should be without any spaces to the adjacent /.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
