Hi there,
I am trying to extract path components from a "path-like" string and it fails with grokfailure.
I have been banding my head on walls for houyrs with this. It works in "Grok Debugger", but fails in Logstash.
My data looks like this:
/project-name/app-name/dev/source-name
My pattern is:
/%{GREEDYDATA:project}/%{GREEDYDATA:application}/%{GREEDYDATA:env}/%{GREEDYDATA:source}
Many thanks in advance for your help,
JM
This should work as I use a similar method - can you post the full config?
Also try this:
(?:/%{GREEDYDATA:project}/%{GREEDYDATA:application}/%{GREEDYDATA:env}/%{GREEDYDATA:source})
As this is the exact thing I have in my config and is working!
I tried your example and it did not work.
Can you please clarify what you mean by the full config?
Here is my filter:
grok { keep_empty_captures => "true" match => { "cloudwatch_logs.log_group" => "(?:/%{GREEDYDATA:project}/%{GREEDYDATA:application}/%{GREEDYDATA:env}/%{GREEDYDATA:source})"} }
As well, we are writing logs to AWS Cloudwatch from the application and reading it from the Cloudwatch pluggin in Logstash.
Th name of the log group contains "meta" about the app.
You are using cloudwatch_logs.log_group, should this not be: [cloudwatch_logs][log_group]
Im not too familiar with cloudwatch input though.
Completely missed this
Using [cloudwatch_logs][log_group] was indeed the solution.
Many thanks for this,
JM
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.