Grok processor in pipeline throws json_parse_exception

Sonia_Gupta · March 22, 2018, 6:38pm

Unable to use regex for grok pattern:

when I give the following:
POST _ingest/pipeline/_simulate
{
"pipeline": {
"description" : "parse multiple patterns",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["\s*%{LOGLEVEL:level}\s*"]
}
}
]
},
"docs":[
{
"_source": {
"message": "[2018-03-21T22:27:34,362] INFO [o.e.n.Node ] [Lf9T-uu] starting ..."
}
}
]
}

I get this output:
{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "Failed to parse content to map"
}
],
"type": "parse_exception",
"reason": "Failed to parse content to map",
"caused_by": {
"type": "json_parse_exception",
"reason": "Unrecognized character escape 's' (code 115)\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@21fdd9ae; line: 8, column: 25]"
}
},
"status": 400
}

Bernt_Rostad · March 23, 2018, 6:33am

The parser exception tells you what's wrong, the "\s" is an unknown escape sequence. Instead, just use space characters around the grok pattern for the file level:

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description" : "parse multiple patterns",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [" %{LOGLEVEL:level} "]
        }
      }
    ]
  },
  "docs":[
    {
      "_source": {
        "message": "[2018-03-21T22:27:34,362] INFO [o.e.n.Node ] [Lf9T-uu] starting ..."
      }
    }
  ]
}

Output (in my Kibana):

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_type": "_type",
        "_id": "_id",
        "_source": {
          "message": "[2018-03-21T22:27:34,362] INFO [o.e.n.Node ] [Lf9T-uu] starting ...",
          "level": "INFO"
        },
        "_ingest": {
          "timestamp": "2018-03-23T06:30:28.633Z"
        }
      }
    }
  ]
}

Sonia_Gupta · March 27, 2018, 6:30pm

Thanks that worked, but when I specify multiple patterns, it failed again:

POST _ingest/pipeline/_simulate

{
"pipeline": {
"description" : "parse multiple patterns",
"processors": [
{
"grok": {
"field": "message",
"patterns": [" %{LOGLEVEL:level} ", "[%{LOGLEVEL:level}]", "level=%{LOGLEVEL:level} ", "level=>:%{LOGLEVEL:level}"]
}
}
]
},
"docs":[
{
"_source": {
"message": "[2018-03-21T22:27:34,362] INFO [o.e.n.Node ] [Lf9T-uu] starting ..."
}
}
]
}

OUTPUT:

"docs": [
{
"doc": {
"_index": "_index",
"_type": "_type",
"_id": "_id",
"_source": {
"message": "[2018-03-21T22:27:34,362] INFO [o.e.n.Node ] [Lf9T-uu] starting ..."
},
"_ingest": {
"timestamp": "2018-03-27T18:26:11.927Z"
}
}
}
]
}

system · April 24, 2018, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.