Ingest Pipeline for parsing multiline fields giving provided Grok expressions do not match field value error error

Elastic Stack Elasticsearch
1

I am trying to parse a multiline log file as shown below.
image

This is the processor that I have currently configured for the multiline log file.

[
  {
    "grok": {
      "field": "message",
      "patterns": [
        "%{GREEDYMULTILINE}%{ROW_TITLE}%{GREEDYDATA:name}"
      ],
      "pattern_definitions": {
        "GREEDYMULTILINE": "(.|\n)*",
        "ROW_TITLE": "name: "
      },
      "description": "extracts name from message"
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        "%{GREEDYMULTILINE}%{ROW_TITLE}%{GREEDYDATA:txt}"
      ],
      "pattern_definitions": {
        "GREEDYMULTILINE": "(.|\n)*",
        "ROW_TITLE": "txt: "
      }
    }
  }
]

The pipeline tries to process the log file that is aggregated from the custom log integration plug-in. However, I get an error saying that the Grok expressions does not match field value. I have tried to test the pipeline with same message via console and is successful. Is there something that I'm doing wrong that can be done differently? Is the issue coming from the log file itself?

2

Hi @SecretAsianMan Welcome to the community...

Please share a sample of the _source document in JSON that is being passed to this ingest processor.

Make sure it is not changed when you paste it here

Have you tried the _simulate API for ingest pipeline in Kibana Dev Tools?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.