Help with 'dissect_parsing_error' on 'log file path'

Yirmio · August 2, 2020, 10:03am

Hi

I'm collecting logs from a central location, where each machine keep the log in separate folder,
each folder name represents the machine name.

In Filebeat, I want to put the folder name as field 'HOSTNAME', below is the processors part in the config file:

    processors:
      - add_host_metadata: ~    
      - add_locale:
          format: abbreviation
      - add_fields:
          fields:        
            config_file_ver: "0.6"
      - if:
          regexp: 
            log.file.path: "^.*OSDLogs\\.*"
        then:
          - dissect:
              tokenizer: '^.*OSDLogs\\%{HOSTNAME}\\.*'
              field: "log.file.path"          
        else:
          - copy_fields:
              fields:
              - from: "agent.hostname"
                to: "HOSTNAME"

file path example:

\servername\public$\OSDLogs\host123\host123-181316.log

All docs get's the following tags:

log.flags dissect_parsing_error
tags _grokparsefailure

How can i solve it?

Thanks!

Yirmio · August 2, 2020, 2:21pm

in debug log i get this message:

could not find beginning delimiter: \\\\servername\\public$\\ in remaining: \\servername\public$\OSDLogs\6044234POOLBWS\6044234POOLBWS.log, (offset: 0)

system · August 30, 2020, 4:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.