GROK pattern and Debugger

dmalchikov · July 28, 2020, 12:31pm

Hi there!
Could not find a problem and supported index
I have pattern which pass test in Grok Debugger but shows "The input is not valid." in Processor field while Create pipeline
Grok pattern:

^%{TIMESTAMP_ISO8601:timestamp}\s+((?:NOT AVAILABLE)|%{IPORHOST:remote_address})\s+%{POSINT:thread}\s+%{LOGLEVEL:loglevel}\s+(?<logger>\S+)%{GREEDYDATA:message}\s+

two log records:

2020-07-27 00:01:54 NOT AVAILABLE 8   INFO  Quartz.Listener.JobChainingJobListener Job 'ProcessGroup.sendNotificationsJobKey' will now chain to Job 'ProcessGroup.makeEscalationNotificationsJobKey'

2020-07-27 00:02:04 95.163.208.222 26  INFO  Farin.Infrastructure.System.Host.Core.Log.RequestLogMiddleware >> HttpRequest: https://bapp1-ptfm5.farin.com/api/system/healthtest; Method: GET

I see \s+ doesn't like by Processor.
Any ideas?

Badger · July 30, 2020, 9:57pm

Exactly what error message do you get from logstash.

Also, do you really want a trailing \s+ on the pattern?

dmalchikov · August 5, 2020, 3:34pm

Thanks!
Due some playing tries I've got working pattern:

"^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}*((?:NOT AVAILABLE)|%{IPORHOST:remote_address})%{SPACE}*%{POSINT:thread}%{SPACE}*%{LOGLEVEL:loglevel}%{SPACE}*(?<logger>%{NOTSPACE}*)%{GREEDYMULTILINE:message}"

system · September 2, 2020, 3:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.