Grokparsefailure message in the case of using grok filter

Hi all, i have some log as following template:

1925/05/01;2019-07-23;00:00:55.193;[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458

I am using following filter in logstash script:

filter {
    csv {
        columns => ["ODate", "Date", "Time", "message"]
        separator => ";"
    }
if ("MD" and "CR" in [message]) {
	grok {
        match => { "message" => "\[\[%{SPACE}\(%{WORD:cn}\)%{SPACE}%{NUMBER:ID1}%{SPACE}CR=%{NUMBER:so};AC=%{WORD:Ac1};%{GREEDYDATA:other_message}"
		    }
			}
	}

when the logstash has been started leads to following result:

{
         "ODate" => "1925/05/01",
       "column6" => "Id=2458",
      "@version" => "1",
          "path" => "F:/1.log",
          "Time" => "00:01:48.130",
          "host" => "myhost",
    "@timestamp" => 2019-08-29T07:58:18.402Z,
       "message" => "[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458",
       "column5" => "AC=TLK",
          "tags" => [
        [0] "_grokparsefailure"
    ],
          "Date" => "2019-07-23"
}

while I want it be as following:

{
         "ODate" => "1925/05/01",
       "other_message" => "Id=2458",
      "@version" => "1",
          "path" => "F:/1.log",
          "Time" => "00:01:48.130",
          "host" => "myhost",
    "@timestamp" => 2019-08-29T07:58:18.402Z,
       "message" => "[[ (MD) 19915478 CR=25895;AC=TLK;Id=2458",
       "Ac1" => "TLK",
       "cn" => "MD"
       "ID1" => "19915478"
       "so" => "25895"
          "Date" => "2019-07-23"
}

any advise will be so appreciated

it has been solved. thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.