Grok parser not working

Maddy_M · April 20, 2018, 4:04pm

Actual Data
</>
02/05/2016 10:56:50:8125C2453:502014 dcs:1 dcs->info:1 info:40 info->tina:50
</>

Actual syntax
</>
%{DATESTAMP:Time}:%{USER:user}:%{INT:gear} dcs:%{INT:dcs} dcs->info:%{INT:dcs2info} info:%{INT:info} info->tina:%{INT:info2tina}
</>

Debugger is giving correct data but included in logstash throwing error gorkparser failure

filter {
grok {
match => ["message", "%{DATESTAMP:Time}:%{USER:user}:%{INT:gear} dcs:%{INT:dcs} dcs->info:%{INT:dcs2info} info:%{INT:info} info->tina:%{INT:info2tina}"]

Could you please advise?

Christian_Dahlqvist · April 20, 2018, 4:09pm

Can you add a stdout filter with a rubydebug codec and show us the resulting event with failure?

Maddy_M · April 20, 2018, 4:13pm

{
"@timestamp" => 2018-04-20T16:10:58.393Z,
"beat" => {
"hostname" => "LNX215",
"name" => "LNX215",
"version" => "5.0.1"
},
"source" => "/opt/intraday/dcs0180420105650",
"message" => "2->tina:39",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
]
}

JKhondhu · April 20, 2018, 4:14pm

Syntactically incorrect, please try:

filter { grok { match => { "message" => "%{DATESTAMP:Time}:%{USER:user}:%{INT:gear} dcs:%{INT:dcs} dcs->info:%{INT:dcs2info} info:%{INT:info} info->tina:%{INT:info2tina }" }}}

Christian_Dahlqvist · April 20, 2018, 4:14pm

Looks like you actually have quite a few tabs in the file, which probably is why it does not match.

Maddy_M · April 20, 2018, 4:37pm

I think the original message was corrupted. Here is the actual log message. same error. Could you please advise?

Maddy_M · April 20, 2018, 4:39pm

I wanted to seperate the fields and use the values to prepare the line charts with those values

system · May 18, 2018, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.