Ingest grok not behaving as expected

Nezzerscape · November 7, 2016, 3:57pm

I am trying to parse a FQDN from winlogbeat. A normal (logstash) grok pattern would be:

"%{DATA:Host}.%{GREEDYDATA:Domain}"

But this errors out when uploading:

PUT _ingest/pipeline/HOST
{
"description" : "Convert computer name",
"processors" : [
{
"grok": {
"field": "computer_name",
"patterns": [ "%{DATA:Host}.%{GREEDYDATA:Domain}" ]
}
}
]
}

Leads to:
{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "Failed to parse content to map"
}
],
"type": "parse_exception",
"reason": "Failed to parse content to map",
"caused_by": {
"type": "json_parse_exception",
"reason": "Unrecognized character escape '.' (code 46)\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@7fd41e9; line: 7, column: 38]"
}
},
"status": 400
}

Note I am using 5.0 of everything.

Nezzerscape · November 7, 2016, 4:01pm

I can get around the error with:
"patterns": [ "%{DATA:Host}'.'%{GREEDYDATA:Domain}"
but the results is the fqdn going into Domain and nothing in Host.

Parsing "myhost.my.domain.com" should be:
Host => "myhost"
Domina => "my.domain.com"

Nezzerscape · November 7, 2016, 4:22pm

SO with even more playing the following gave me the results I was looking for:
"patterns": [ "%{DATA:Host}[.]%{GREEDYDATA:Domain}" ]

system · December 5, 2016, 4:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.