Hi Team,
I'm using logstash 6.8.3, and I'm trying to parse ES slow logs and my sample field is a ES source_query which looks like
{"from":0,"size":0,"post_filter":{"bool":{"must":[{"term":{"someId":{"value":1234,"boost":1.0}}},{"bool":{"must":[{"term":{"indexedAttributes.some_id.long":{"value":1234,"boost":1.0}}},{"term":{"deleted":{"value":"false","boost":1.0}}},{"term":{"someGroupIds":{"value":121221,"boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}],"adjust_pure_negative":true,"boost":1.0}},"version":true,"_source":{"includes":["orderId"],"excludes":},"sort":[{"sortedAttributes.lastUpdatedOn.date":{"order":"desc","missing":"_last","unmapped_type":"keyword"}}]}
and the grok pattern i've used is like below.
^{\"from\":%{INT},\"size\":(%{DATA:totalSize}),%{DATA}{\"someId\":{\"value\":%{INT:someId},%{DATA}}$
and it works perfect in https://grokdebug.herokuapp.com/, see below screenshot but however it returns "tags" => [
[0] "_grokparsefailure"
] and i don't see the extracted fields totalSize and someId
Can anyone please help me why it is behaving this way and please note that given sample is just an example one but we will be having n number of source_query patterns and I'm using break_on_match => true
Thanks,
Vaseem | Principal Engineer, QA