cawoodm
December 12, 2019, 6:36pm
1
I am unable to match any field which has a space. Consider the log:
"foo"
"foo bar"
"foobar"
The middle line foo baralways results in _grokparsefailure.
Patterns I've tried to no avail:
match => { "message" => "\"(?<ip2>[\. .]+)\"" }
match => { "message" => "\"(?<ip2>[\S\s]+)\"" }
match => { "message" => "\"(?<ip2>[^\"]+)\"" }
All these patterns work in the Grok Tester .
Is there any way to debug the GROKKER?
{
"@version" => "1",
"agent" => {
"type" => "filebeat",
"hostname" => "UZNF68",
"version" => "7.3.0",
"ephemeral_id" => "c6792934-b582-4596-9837-d7b97c75a939",
"id" => "c744b46c-629e-4708-a44b-23db6e5b19fd"
},
"host" => {
"name" => "aaa"
},
"source" => "access",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
],
"app" => "%{category}",
"ecs" => {
"version" => "1.0.1"
},
"timeTaken" => 0.0,
"message" => "\"foo bar\"",
"priority" => 1,
"fields" => {
"system" => "dev",
"source" => "access",
"app" => "%{category}",
"server" => "aaa"
},
"type" => "INFO",
"log" => {
"file" => {
"path" => "D:\\aaa\\log\\test.log"
},
"offset" => 7
},
"input" => {
"type" => "log"
},
"timestamp" => 2019-12-12T18:31:05.704Z,
"server" => "aaa"
}
Badger
December 12, 2019, 11:26pm
2
The first pattern does not work because inside square brackets period does not mean "any character", it means a literal period. The other two work for me. For example,
input { generator { count => 1 lines => [ '"foo bar"' ] } }
filter {
grok { match => { "message" => "\"(?<ip2>[\S\s]+)\"" } }
}
output { stdout { codec => rubydebug { metadata => false } } }
produces
"ip2" => "foo bar",
"message" => "\"foo bar\"",
cawoodm
December 13, 2019, 9:27am
3
Indeed the first one does not work (my paste error) but neither do any of the others Logstash 7.3 consistently spits a _grokparsefailure and will not parse them.
cawoodm
December 13, 2019, 3:15pm
4
Logfile
"foo1"
"foo bar1"
"foo2"
"foo bar2"
Logstash Pipeline Config
input {
beats {
port => 5058
}
}
filter {
grok {
match => { "message" => "\"%{GREEDYDATA:raw}" }
}
}
output {
stdout {codec => rubydebug { metadata => false } }
}
Logstash Output
{
"message" => "\"foo2\"",
"ecs" => {
"version" => "1.0.1"
},
"log" => {
"file" => {
"path" => "D:\\tmp\\log\\access.gateway.log"
},
"offset" => 20
},
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"raw" => "foo2\"",
"fields" => {
"source" => "access",
"system" => "dev",
"server" => "bbb",
"app" => "gateway"
},
"@timestamp" => 2019-12-13T15:13:06.039Z,
"@version" => "1",
"host" => {
"name" => "aaa"
},
"agent" => {
"version" => "7.3.0",
"id" => "e83188ea-468c-4e4f-9042-c4c35550e164",
"ephemeral_id" => "f1ad0ce1-864b-4f93-86a5-faa79f8d076c",
"hostname" => "aaa",
"type" => "filebeat"
},
"input" => {
"type" => "log"
}
}
{
"message" => "\"foo bar2\"",
"ecs" => {
"version" => "1.0.1"
},
"log" => {
"file" => {
"path" => "D:\\tmp\\log\\access.gateway.log"
},
"offset" => 28
},
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"raw" => "foo bar2\"",
"fields" => {
"source" => "access",
"system" => "dev",
"server" => "bbb",
"app" => "gateway"
},
"@timestamp" => 2019-12-13T15:13:06.039Z,
"@version" => "1",
"host" => {
"name" => "aaa"
},
"agent" => {
"hostname" => "aaa",
"ephemeral_id" => "f1ad0ce1-864b-4f93-86a5-faa79f8d076c",
"id" => "e83188ea-468c-4e4f-9042-c4c35550e164",
"version" => "7.3.0",
"type" => "filebeat"
},
"input" => {
"type" => "log"
}
}
cawoodm
December 13, 2019, 4:22pm
5
The grok error went away - I had a logic mistake with my IFs and it was a different grok statement being executed.
system
January 10, 2020, 4:22pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.