Reading up about this it seems that the Kibana grok debugger behaves completely differently than logstash… which is exactly opposite what you want from a debugging tool?
My patterns are using e.g.:
%{DATA:url.original}
syntax which gives the correct (nested values) result in the grok debugger, but a single dot-separated field name with logstash.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.