I have an http input plugin in my logstash configuration with codec as json as
http {
host => "0.0.0.0"
port => "8080"
user => "username"
password => "password"
codec => json
}
So the message in my filter section is
{
"@timestamp" => 2017-06-23T06:16:05.000Z,
"@version" => "1",
"event" => {
"logLevel" => "INFO",
"description" => "sachchit.bansal@xyz.com \"Coupon\" \"Chrome\" \"Linux\" \"182.72.92.14, 172.20.14.45, 172.20.12.14\" \"182.72.92.14\" \"/user/dashboard\" \"Coupon - Dashboard\" _14981985629789475123422 \"URLChange\" \"\"",
"className" => "internalUserTrackLog",
"eventType" => "USER_TRACKING_INFO_EVENT"
}
}
I want to use grok filter on the description field of the message. I don't want any other field. What I was doing is
grok {
match => [ "[event][description]", "%{COUPON_DATE:logdate} %{IPORHOST:machineIp} %{EMAILADDRESS:user} %{QS:account} %{QS:browser} %{QS:os} %{QS:forwardList} %{QS:ipAddress} %{QS:pageURL} %{QS:pageTitle} %{WORD:tabId} %{QS:eventType} %{GREEDYDATA:customKVP}"]
patterns_dir => "/etc/logstash/patterns"
}
But I am getting _grokparsefailure.