Grok pattern doesn't match path

hrmzaqa · February 10, 2020, 1:05pm

Hi,

I have a problem that I cannot solve for too long so I'm using this forum to get a help
i need to to get name of application server parsed from path.
I have this simple pattern but i'm getting "_grokparsefailure" in tags

input {
    beats {
        port => "5044"
    }
}
filter {
    if "app-server" in [tags] {
        grok {
        # match app server from log path
            match => {"path" => "%{GREEDYDATA}/logs/%{DATA:app_server_name}/SystemOut.log"}
         }
    }
}
output {
      stdout { codec => rubydebug }
 }

the output i'm getting is this

{
         "input" => {
        "type" => "log"
    },
           "log" => {
        "offset" => 690955,
          "file" => {
            "path" => "/opt/IBM/WebSphere/AppServer/profiles/pillipercol/logs/server2/SystemOut.log"
        }
    },
          "tags" => [
        [0] "app-server",
        [1] "beats_input_codec_plain_applied",
        [2] "_grokparsefailure"
    ],
    "@timestamp" => 2020-02-10T12:53:07.774Z,
       "message" => "[2/10/20 13:53:01:439 CET] 000025c6 CacheSlotCmdI I com.commerce.order.commands.CacheSlotCmdImpl performExecute Exiting",
      "@version" => "1",
           "ecs" => {
        "version" => "1.0.0"
    },
          "host" => {
        "name" => "*************"
    },
         "agent" => {
            "hostname" => "**************",
                  "id" => "751b53a2-0c35-4b94-ae76-4f43981a9d8a",
        "ephemeral_id" => "9010e020-41bf-4d97-8842-bda1624c6a73",
             "version" => "7.0.1",
                "type" => "filebeat"
    }
}

Fabio-sama · February 10, 2020, 2:20pm

What about applying that grok to [file][path] rather than simply [path]? So

input {
  beats {
    port => "5044"
  }
}

filter {
  if "app-server" in [tags] {
    grok {
    # match app server from log path
      match => {"[file][path]" => "%{GREEDYDATA}/logs/%{DATA:app_server_name}/SystemOut.log"}
    }
  }
}

output {
  stdout {}
}

hrmzaqa · February 10, 2020, 2:57pm

Thanks for quick reponse but unfortunatelly this didn't help.
i updated Logstash to 7.5.2.
Bus still the app_server_name field is not getting parsed

Badger · February 10, 2020, 3:18pm

It's actually [log][file][path]

Fabio-sama · February 10, 2020, 3:25pm

Ooops...didn't see the external [log] because of the weird indentation. As Badger says, with [log][file][path] it should work

hrmzaqa · February 10, 2020, 3:27pm

thx a lot
worked

system · March 9, 2020, 3:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter not parsing path Logstash	3	561	October 12, 2020
Get filter value in add_field Logstash	5	564	June 27, 2019
Please, I need help with grok patterns Logstash	2	424	March 5, 2020
Pattern matching filebeat to logstash Logstash	2	276	September 4, 2019
Grok regex don't match Logstash	9	987	April 1, 2019

Grok pattern doesn't match path

Related Topics