_grokparsefailure in Logstash

Astarandel · February 21, 2019, 2:40pm

Greetings everyone,

I m pretty new to the whole ELK stack, please excuse me if this seems as a noob question.

I am trying to match the following log message:

frost: (Total of 4 licenses issued; Total of 0 licenses in use)

Using the following grok pattern:

%{WORD:program_name}: (Total of %{BASE10NUM:licenses_total:int} licenses issued; Total of %{BASE10NUM:licenses_in_use:int} licenses in use)

I've tested the pattern with 3 different debuggers and according to them it should be fine. Unfortunately I get _grokparsefailure

Could you please help?

best,

Lyubo

Badger · February 21, 2019, 2:47pm

Parentheses have meaning in regular expression (they define capture groups) so you need to escape them.

"%{WORD:program_name}: \(Total of %{BASE10NUM:licenses_total:int} licenses issued; Total of %{BASE10NUM:licenses_in_use:int} licenses in use\)"

Astarandel · February 22, 2019, 8:11am

Hello Badger...they are escaped..for some reason when I pasted the line it was not posted correctly but the line is:

"%{WORD:program_name}: \(Total of %{BASE10NUM:licenses_total:int} licenses issued; Total of %{BASE10NUM:licenses_in_use:int} licenses in use\)"

Sorry about the confusion

system · March 22, 2019, 8:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error parsing simple log Logstash	2	265	October 18, 2019
_grokparsefailure in the file Logstash	6	948	August 30, 2017
_grokparsefailure problem Logstash	3	357	September 4, 2019
Using regex grouping and logical OR in a Grok Pattern Logstash	3	14213	July 6, 2017
Regular expression problem Logstash	12	2463	July 6, 2017