Grok Pattern not working

Pranav_M · December 29, 2021, 11:11pm

Hey Community,

Received packet: Type = N5abcde8AbcAbcde9AbcdAbcde15AbcdefghAbcdefA, xx = 95, xxx = 441, xxxXxo = 2, xXxxXxx = 1, xxxx = 9 accepted.

The above line is a message from my log and I want to seperate each data into a field to visualize it in Kibana, I tried to use Grok and Dissect, however I am unable to achieve it. I would be extremely thankful if someone from you could guide me to put them together in a pattern

The following is the grok pattern that I have defined, however it isn't working
grok {
match => { "Log_Message" => "%{GREEDYDATA:Packet_Type}%{NUMBER:ts:int}%{NUMBER:cts:int}%{NUMBER:SeqNo:int}%{NUMBER:cSeqNo:int}%{NUMBER:trtd:int}" } }

Badger · December 30, 2021, 12:21am

That does not match your example message. If the set of fields is constant you could use something like

Type = %{NOTSPACE:type}, xx = %{NUMBER:ts:int}, xxx = %{NUMBER:cts:int}, xxxXxo = %{NUMBER:SeqNo:int}, xXxxXxx = {NUMBER:cSeqNo:int}, xxxx = %{NUMBER:trtd:int} accepted

If the set of fields varies it might be better to use an array of patterns, one for each field

grok {
    break_on_match => false
    match => { "log_message" => [
        "Type = %{NOTSPACE:type}",
        "xx = %{NUMBER:ts:int}",
        "xxx = %{NUMBER:cts:int}",
        "xxxXxo = %{NUMBER:SeqNo:int}",
        "xXxxXxx = {NUMBER:cSeqNo:int}",
        "xxxx = %{NUMBER:trtd:int}"
    ]
}

Pranav_M · December 30, 2021, 9:34am

@Badger Thank you for the quick response, its working, thanks a lot

Pranav_M · January 10, 2022, 11:48am

Hi @Badger

I would like to filter out this patter as well from my message, how do I add a filter for it, i tried the following but then neither of them works, I request you to help me out with catching the following message

Abcde Abcde : XX

where Abcde is a string and XX is an integer

I tried the following grok patterns, but doesn't seem to work

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

Can you please help me out in retrieving the message using grok

Badger · January 10, 2022, 3:01pm

Your sample data is separated using : but your patterns use =. That is not going to work.

Pranav_M · January 11, 2022, 4:50am

@Badger , Thanks for your quick response, I understood the working of the filter now and was able to script according to the parameters.

I am now trying to retrieve values out of the log message.

Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: X|X.

the values of X ranges from 0 to 8 and this was the script that I wrote for it
match => { "message" => ["Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: %{NUMBER:AAA:float}|%{NUMBER:BBB:float}" ] }

there is no error thrown, however Logstash is now capturing all messages containing an integer, is there any way where I can make it work?

I want to take the first value and plot in field AAA and second value and plot in field BBB

system · February 8, 2022, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern works but not applied on Kibana (2nd) Elasticsearch	2	728	March 13, 2020
Grok filter is not working (custom pattern) Logstash	6	1667	May 10, 2017
Logstash Grok Pattern Not Working(Regex) Logstash	5	312	January 31, 2023
Pattern for this log Logstash	7	264	January 17, 2021
Grok pattern works but not applied on Kibana Kibana	11	1426	March 16, 2020

Grok Pattern not working

Related topics