Grok Pattern works fine in Debugger but in the Logtstash

My Pattern: %{MONTH:FP_Month} %{NUMBER:FP_Date} %{TIME} %{IP:FP_LogSource} %{WORD}:%{INT}.%{INT}|%{WORD}|%{WORD}|%{WORD}.%{WORD}.%{WORD}|%{WORD}:%{WORD:FP_Transaction_Status}|%{WORD}=%{NUMBER:FP_Severity}\%{WORD}=%{NUMBER:FP_Category}\tusrName=LDAP://%{IP:FP_DomainControllerIP} \OU\%{GREEDYDATA}=com/%{GREEDYDATA:FP_UserName}\tloginID=%{GREEDYDATA:FP_UserID}\tsrc=%{IP:FP_ClientIP}\tsrcPort=%{NUMBER:FP_ClientPort}\tsrcBytes=%{NUMBER:FP_SourceBytes}\tdstBytes=%{NUMBER:FP_DestinationBytes}\tdst=%{IP:FP_DestinationIP}\tdstPort=%{NUMBER:FP_DestinationPort}\tproxyStatus-code=%{NUMBER:FP_ProxyStatus}\tserverStatus-code=%{NUMBER:FP_ServerStatus}\tduration=%{NUMBER:FP_Duration}\tmethod=%{WORD:FP_METHOD}\tdisposition=%{NUMBER:FP_Disposition}\tcontentType=%{GREEDYDATA:FP_ContentType}\treason=%{GREEDYDATA:FP_Reason}\tpolicy=%{GREEDYDATA:FP_Policy}\trole=%{NUMBER:FP_Role}\tuserAgent=%{GREEDYDATA:FP_UserAgent}\turl=%{URI}

The filter throws Grokerror. On investigating i found the filter throws error the moment it sees a "\"

Please edit your post, select the configuration, and click on </> in the toolbar above the edit panel. Also, please show the data you are trying to match and the actual text of the error message.

I have encountered that a lot -- works in debugger but not logstash. In my cases, it's been that I needed to escape certain characters in the logstash config but not the debugger. Definitely the | or pipe character. Put a backslash in front of those -- |. I haven't done tabs in a while, but the leading \ might also need to be escaped.

My mistake. I was not escaping the tab correctly. I was using doubleslash before..got it corrected by using using only \t. Works fine now

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.