Grok Pattern not working

Pranav_M · December 29, 2021, 11:11pm

Hey Community,

Received packet: Type = N5abcde8AbcAbcde9AbcdAbcde15AbcdefghAbcdefA, xx = 95, xxx = 441, xxxXxo = 2, xXxxXxx = 1, xxxx = 9 accepted.

The above line is a message from my log and I want to seperate each data into a field to visualize it in Kibana, I tried to use Grok and Dissect, however I am unable to achieve it. I would be extremely thankful if someone from you could guide me to put them together in a pattern

The following is the grok pattern that I have defined, however it isn't working
grok {
match => { "Log_Message" => "%{GREEDYDATA:Packet_Type}%{NUMBER:ts:int}%{NUMBER:cts:int}%{NUMBER:SeqNo:int}%{NUMBER:cSeqNo:int}%{NUMBER:trtd:int}" } }

Badger · December 30, 2021, 12:21am

That does not match your example message. If the set of fields is constant you could use something like

Type = %{NOTSPACE:type}, xx = %{NUMBER:ts:int}, xxx = %{NUMBER:cts:int}, xxxXxo = %{NUMBER:SeqNo:int}, xXxxXxx = {NUMBER:cSeqNo:int}, xxxx = %{NUMBER:trtd:int} accepted

If the set of fields varies it might be better to use an array of patterns, one for each field

grok {
    break_on_match => false
    match => { "log_message" => [
        "Type = %{NOTSPACE:type}",
        "xx = %{NUMBER:ts:int}",
        "xxx = %{NUMBER:cts:int}",
        "xxxXxo = %{NUMBER:SeqNo:int}",
        "xXxxXxx = {NUMBER:cSeqNo:int}",
        "xxxx = %{NUMBER:trtd:int}"
    ]
}

Pranav_M · December 30, 2021, 9:34am

@Badger Thank you for the quick response, its working, thanks a lot

Pranav_M · January 10, 2022, 11:48am

Hi @Badger

I would like to filter out this patter as well from my message, how do I add a filter for it, i tried the following but then neither of them works, I request you to help me out with catching the following message

Abcde Abcde : XX

where Abcde is a string and XX is an integer

I tried the following grok patterns, but doesn't seem to work

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

Can you please help me out in retrieving the message using grok

Badger · January 10, 2022, 3:01pm

Your sample data is separated using : but your patterns use =. That is not going to work.

Pranav_M · January 11, 2022, 4:50am

@Badger , Thanks for your quick response, I understood the working of the filter now and was able to script according to the parameters.

I am now trying to retrieve values out of the log message.

Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: X|X.

the values of X ranges from 0 to 8 and this was the script that I wrote for it
match => { "message" => ["Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: %{NUMBER:AAA:float}|%{NUMBER:BBB:float}" ] }

there is no error thrown, however Logstash is now capturing all messages containing an integer, is there any way where I can make it work?

I want to take the first value and plot in field AAA and second value and plot in field BBB

system · February 8, 2022, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern is not working Logstash	4	2029	December 14, 2016
Logstash Grok Pattern Not Working(Regex) Logstash	5	311	January 31, 2023
Pattern Assistance ## Logstash	4	812	July 6, 2017
Pattern: grok/mutate dont work? Logstash	10	518	November 20, 2022
Problem with Grok filter with my logfile Logstash	2	600	July 6, 2017

Grok Pattern not working

Related Topics