I'm very new to logstash and even newer to the idea of grok statements. I have a config file that I've written to use a grok statement to read in a text file. I'm using custom statements which I tested using the grok debugger, but when I run the file in logstash it reads in the text file but none of the data gets parsed into my fields. When I run the file with an stdout it shows The following:
{
"@timestamp:" => 2019-09-23T12:09:36.836Z,
"Message" => "The message for the line it was reading",
"tags" => [ [0] "_grokparsefailure"],
"host" => "host name",
"path" => "path name",
"@version" => "1"
}
Below is my config file, and my custom pattern.
Config:
input {
file {
path => [ "/Elastic/logstash-7.3.1/DVIS_Log.txt" ]
start_position => "beginning"
sincedb_path => "/Elastic/logstash-7.3.1/dvis_log_sincedb.txt"
}
}
filter {
grok{
patterns_dir => ["/Elastic/logstash-7.3.1/patterns/DVIS_LOG_pattern.txt"]
match => {"message" => "%{CUSTTIME} %{LRU} %{LRUID} %{SEVERITY} %{GREEDYDATA:message}"}
}
date {
match => [ "timestamp", "yyyyMMdd'T'HHmmss" ]
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "open-skies-css-bit-test"
}
}
Grok Pattern:
CUSTTIME %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}\s*(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]) LRU [a-zA-Z0-9._-]+ LRUID [a-zA-Z0-9._-]+ SEVERITY [/-/ ].*?[/-/ ].*?.*?[/-/ ].*?[/-/ ]
Edit:
This is a sample line from the txt file:
20190723T172417 AOSC 120013k801-1 [EVENT]: 07/23/19 17:24:17 AOSC --- Info --- MCCC Bad entered
I found this thread [Logstash _grokparsefailure . Unable to find issue] that seemed to imply that using multiple config files with grok can cause issues (Which is my situation), but like I said I'm pretty new to this so I don't know.