Grok Pattern works fine in Debugger but in the Logtstash

My Pattern: %{MONTH:FP_Month} %{NUMBER:FP_Date} %{TIME} %{IP:FP_LogSource} %{WORD}:%{INT}.%{INT}|%{WORD}|%{WORD}|%{WORD}.%{WORD}.%{WORD}|%{WORD}:%{WORD:FP_Transaction_Status}|%{WORD}=%{NUMBER:FP_Severity}\%{WORD}=%{NUMBER:FP_Category}\tusrName=LDAP://%{IP:FP_DomainControllerIP} \OU\%{GREEDYDATA}=com/%{GREEDYDATA:FP_UserName}\tloginID=%{GREEDYDATA:FP_UserID}\tsrc=%{IP:FP_ClientIP}\tsrcPort=%{NUMBER:FP_ClientPort}\tsrcBytes=%{NUMBER:FP_SourceBytes}\tdstBytes=%{NUMBER:FP_DestinationBytes}\tdst=%{IP:FP_DestinationIP}\tdstPort=%{NUMBER:FP_DestinationPort}\tproxyStatus-code=%{NUMBER:FP_ProxyStatus}\tserverStatus-code=%{NUMBER:FP_ServerStatus}\tduration=%{NUMBER:FP_Duration}\tmethod=%{WORD:FP_METHOD}\tdisposition=%{NUMBER:FP_Disposition}\tcontentType=%{GREEDYDATA:FP_ContentType}\treason=%{GREEDYDATA:FP_Reason}\tpolicy=%{GREEDYDATA:FP_Policy}\trole=%{NUMBER:FP_Role}\tuserAgent=%{GREEDYDATA:FP_UserAgent}\turl=%{URI}

The filter throws Grokerror. On investigating i found the filter throws error the moment it sees a "\"

Please edit your post, select the configuration, and click on </> in the toolbar above the edit panel. Also, please show the data you are trying to match and the actual text of the error message.

I have encountered that a lot -- works in debugger but not logstash. In my cases, it's been that I needed to escape certain characters in the logstash config but not the debugger. Definitely the | or pipe character. Put a backslash in front of those -- |. I haven't done tabs in a while, but the leading \ might also need to be escaped.

My mistake. I was not escaping the tab correctly. I was using doubleslash it corrected by using using only \t. Works fine now

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.