Grok pattern matching in debugger but not on logstash

smtp_server · June 8, 2022, 4:25am

Obvious from question, I've been trying to look for fault for so long but still don't seem to be coming around solution. Here's config

filter{
grok{
pattern_definitions => {
        "CUSTOMMONTH" => "(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)"
        "CUSTOMTIMESTAMP" => "%{MONTHDAY}/%{CUSTOMMONTH}/%{YEAR} %{TIME}"
    }
match=>{
    
    
    "message" => ["%{CUSTOMTIMESTAMP:time}",
           "\"%{WORD:method} %{DATA:url} HTTP"]
    "@version" => "%{NUMBER:num}"
    
}
add_field=>{"user"=>"url1" }


}
}

"message" => "{"log":"[08/Jun/2022 03:29:16] "GET /cart/ HTTP/1.1" 200 16123\n","stream":"stderr","time":"2022-06-08T03:29:16.583783858Z"}"

Matches well on online debugger and ignore @version matching part because that works well.

Badger · June 8, 2022, 4:37am

If your problem is that "\"%{WORD:method} %{DATA:url} HTTP" never matches (please do not make us guess) then look at the break_on_match option.

smtp_server · June 8, 2022, 8:22am

Sorry, I tried your method and it worked. I don't seem to get it however that how @version is matched first even though its position in event and same of its pattern in config file is after message

Badger · June 8, 2022, 3:44pm

The options are a hash, and Java hashes are not ordred. There is no such thing as before or after.

system · July 6, 2022, 3:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.