Grokparsefailure although test pages show a match


(jahlives) #1

I have troubles with a grok pattern. Running logstash 2.3.4 on a Centos (CentOS Linux release 7.3.1611 (Core)) with latest updates.
A pattern that I have does not match the line, although the pages https://grokdebug.herokuapp.com/


and http://grokconstructor.appspot.com/do/match

do show that the pattern matches. But in logstash I get the _grokparsefailure tag set

The patterns look as follows

COMPONENT_FUGLU fuglu\[%{NUMBER:pid}\]|quargui
PREFIX_FUGLU (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) ?%{SYSLOGHOST:logsource} ?%{COMPONENT_FUGLU}: ?
FUGLU_VAL [^"]+
FUGLU_CM4_APPENDER fuglu.plugin.CM4Appender.maillog: 0 "(?:%{GREEDYDATA:from_user}@%{GREEDYDATA:from_domain})?" "(?:%{GREEDYDATA:to_user}@%{FUGLU_VAL:to_domain})?" "%{FUGLU_VAL:fugluid}" "%{FUGLU_VAL:qid}" "%{FUGLU_VAL:clienthostname}" "%{FUGLU_VAL:clientip}" "%{FUGLU_VAL:clienthelo}" "%{FUGLU_VAL:size}" "%{FUGLU_VAL:quarantined}" "%{FUGLU_VAL:tagandsend}" "%{FUGLU_VAL:spamstatus}" "%{FUGLU_VAL:virus}" "%{FUGLU_VAL:blockedfile}" "%{FUGLU_VAL:noadmreview}" "%{FUGLU_VAL:hidden}" "%{FUGLU_VAL:reviewed}" "%{FUGLU_VAL:messageid}" "%{GREEDYDATA:subject}"
FUGLU_CM4_QUAR1 cm4.quarantine.maillog: 0 "(?:%{GREEDYDATA:from_user}@%{GREEDYDATA:from_domain})?" "(?:%{GREEDYDATA:to_user}@%{FUGLU_VAL:to_domain})?" "%{FUGLU_VAL:fugluid}" "%{FUGLU_VAL:qid}" "%{FUGLU_VAL:clienthostname}" "%{FUGLU_VAL:clientip}" "%{FUGLU_VAL:clienthelo}" "%{FUGLU_VAL:size}" "%{FUGLU_VAL:quarantined}" "%{FUGLU_VAL:tagandsend}" "%{FUGLU_VAL:spamstatus}" "%{FUGLU_VAL:virus}" "%{FUGLU_VAL:blockedfile}" "%{FUGLU_VAL:noadmreview}" "%{FUGLU_VAL:hidden}" "%{FUGLU_VAL:reviewed}" "%{FUGLU_VAL:messageid}" "%{GREEDYDATA:subject}"
FUGLU %{PREFIX_FUGLU}(?:%{FUGLU_CM4_APPENDER}|%{FUGLU_CM4_QUAR1})

Why do the test pages show that the pattern matches and logstash itself does not match?
Thanks a lot for any hint :slight_smile:

Cheers

tobi


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.