GROK strange issue

brunus0475 · April 18, 2020, 5:27am

Hi All,

where is my configuration error, we've only moved the timestamp field at the start of the message:

    ## GROK NOT WORK
    POST /_ingest/pipeline/_simulate
    {
      "pipeline": {
        "processors": [
          {
            "grok": {
              "field": "message",
              "patterns": ["""%{TIMESTAMP_ISO8601:@timestamp} %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{TIMESTAMP_ISO8601:@timestamp}"""]
            }
          }
        ]
      },
        "docs": [
        {
          "_source": {
            "message": "2019-09-29T00:39:02.91ZZ 55.3.244.1 GET /index.html 15824 0.043  "
          }
        }
      ]
    }

    ## GROK WORKS FINE
    POST /_ingest/pipeline/_simulate
    {
      "pipeline": {
        "processors": [
          {
            "grok": {
              "field": "message",
              "patterns": ["""%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{TIMESTAMP_ISO8601:@timestamp}"""]
            }
          }
        ]
      },
        "docs": [
        {
          "_source": {
            "message": "55.3.244.1 GET /index.html 15824 0.043 2019-09-29T00:39:02.91ZZ"
          }
        }
      ]
    }

system · May 16, 2020, 5:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to grok ingest pipeline for Caddy log (even after running in grok debugger) Elasticsearch	3	780	August 4, 2020
Grok pattern failing in ingest pipeline, but working in grok debugger Elasticsearch	1	490	March 13, 2018
[SOLVED] Pipeline: field [timestamp] not present as part of path [timestamp] Elasticsearch	2	11703	May 2, 2018
Log Grok does not work Logstash	2	314	September 28, 2018
Elasticsearch grok processor error Elasticsearch	5	1148	March 28, 2018

GROK strange issue

Related topics