Help with grok filter on ingest pipeline

Hello, I'm trying to use the following grok filter, but I'm getting a message saying it's in an invalid json format, but I think my filter is written correctly. can you help me with this?

(%{TIMESTAMP_ISO8601:time})%{NOTSPACE} firewall: msg_id=\\"%{DATA:msg_id}\\" %{DATA:action} %{DATA:source} %{DATA:if} %{DATA:number1} %{DATA:protocol} %{DATA:number2} %{DATA:number3} %{IP:srcip} %{IP:destip} %{NUMBER:srcport} %{NUMBER:destport} offset %{NUMBER:number4} %{DATA:word1} %{NUMBER:number5} win %{NUMBER:number6}%{SPACE}signature_name=\\"%{DATA:signature_name}" signature_cat=\\"%{DATA:signature_cat}" signature_id=\\"%{DATA:signature_id}\\" severity=\\"%{NUMBER:severity}\\" sig_vers=\\"%{NUMBER:sig_vers}\\"%{SPACE}geo_src=\\"%{WORD:geo_src}\\"%{SPACE} geo_dst=\\"%{WORD:geo_dst}\\"%{SPACE}msg=\\"%{DATA:msg}\\"%{SPACE}%{GREEDYDATA:msg2}

obs: I'm using the ingest pipeline menu in kibana

Your pattern seems to pass validation for me. Did I miss something in your request? (3)

I performed the same test and it didn't pass the validation, anyway I'm using an old version of elk (7.13) could that be the reason for not validating?

Hmmm, yeah, that's possible. I'm on the latest (8.6).

I put the same filter on a newer version and it worked, that's probably it, thanks anyway!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.