GROK pattern and Debugger

dmalchikov · July 28, 2020, 12:31pm

Hi there!
Could not find a problem and supported index
I have pattern which pass test in Grok Debugger but shows "The input is not valid." in Processor field while Create pipeline
Grok pattern:

^%{TIMESTAMP_ISO8601:timestamp}\s+((?:NOT AVAILABLE)|%{IPORHOST:remote_address})\s+%{POSINT:thread}\s+%{LOGLEVEL:loglevel}\s+(?<logger>\S+)%{GREEDYDATA:message}\s+

two log records:

2020-07-27 00:01:54 NOT AVAILABLE 8   INFO  Quartz.Listener.JobChainingJobListener Job 'ProcessGroup.sendNotificationsJobKey' will now chain to Job 'ProcessGroup.makeEscalationNotificationsJobKey'

2020-07-27 00:02:04 95.163.208.222 26  INFO  Farin.Infrastructure.System.Host.Core.Log.RequestLogMiddleware >> HttpRequest: https://bapp1-ptfm5.farin.com/api/system/healthtest; Method: GET

I see \s+ doesn't like by Processor.
Any ideas?

Badger · July 30, 2020, 9:57pm

Exactly what error message do you get from logstash.

Also, do you really want a trailing \s+ on the pattern?

dmalchikov · August 5, 2020, 3:34pm

Thanks!
Due some playing tries I've got working pattern:

"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}*((?:NOT AVAILABLE)|%{IPORHOST:remote_address})%{SPACE}*%{POSINT:thread}%{SPACE}*%{LOGLEVEL:loglevel}%{SPACE}*(?<logger>%{NOTSPACE}*)%{GREEDYMULTILINE:message}"

system · September 2, 2020, 3:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern OK in debugger, but parse failure in logstash Logstash	5	739	March 25, 2020
_grokparsefailure but grok debugger looks good Logstash	18	2815	August 19, 2021
Need logstash grok help Logstash	6	681	January 24, 2018
"_grokparsefailure" for pattern that works on grok debugger Logstash	3	688	July 16, 2020
Grok Pattern works in Grok debugger but fails in the parsing Logstash	3	839	August 3, 2019

GROK pattern and Debugger

Related topics