Grok unable to parse message field

rschirin · April 20, 2020, 9:11am

Hi guys,
using an Ansible's plugin I'm trying to send data to Logstash.
Eveything seems ok but grok is not able to parse message field; I mean, I'm not able to configure it to work correctly
this is the content of my document:

{
  "_index": "jenkins-build-2020.04.20",
  "_type": "_doc",
  "_id": "3TnUlnEBnHvd3wub4nHB",
  "_version": 1,
  "_score": null,
  "_source": {
    "source_host": "https://jenkins.net.com/",
    "host": "xxxxx",
    "source": "jenkins",
    "@version": 1,
    "message": [
      "Started by user Mario Rossi",
      "Running as Mario Rossi",
      "Running in Durability level: MAX_SURVIVABILITY"

I'm trying to extract user and I tried a lot of combination on grok but everytime I face a _grokparsefailure. is there anyone that can help me?

Badger · April 20, 2020, 3:20pm

What have you tried?

rschirin · April 20, 2020, 3:40pm

This is my filter section

filter {
       grok {
        break_on_match => false
            match => [
                                "message", "      \"Started by user\s%{GREEDYDATA:username.start}\",",
                                "message", "\"Started by user %{DATA:username.start}\","
            ]
       }
}

Badger · April 20, 2020, 3:47pm

The quotes around "Started by user Mario Rossi" are not part of the field, they are the way rubydebug tells you it is a string. Try

grok { match => { "message" => "Started by user %{GREEDYDATA:username.start}" } }

rschirin · April 20, 2020, 3:53pm

I tried also without the double quote but it fails anyway.

system · May 18, 2020, 3:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.