Issues with grok and beats input

Hello everyone,

I have been racking my brain trying to figure out what im doing wrong here.. i have a really simple input im testing with that i cannot seem to get working correctly.

I have this log file that outputs "Virtual Drive: 1 (Target Id: 1)\tState : Optimal" i have a grok pattern..

input {
beats {
port => 5002
type => "raid_log"
}
}

filter {
if [type] == "raid_log" {
grok {
match => { "message" => "Virtual Drive: %{NUMBER:[raid][virtual][volume]} (Target Id: %{NUMBER:[raid][virtual][target][id]})\tState : %{WORD:[raid][status]} " }
remove_field => "message"
tag_on_failure => [ "raid_grok_failure" ]

}
}
}

that shows that it matches correctly everywhere i look... i have added the tag which it does tag... i have tried every combination of everything i can think of and it will not seem to work correctly.. any ideas?

this is the output seen in kibana

log.file.path:
/var/log/mdstatevd1.log
@timestamp:
October 18th 2019, 10:48:01.976
@version:
1
host.os.codename:
Core
host.os.version:
7 (Core)
host.os.family:
redhat
host.os.platform:
centos
host.os.name:
CentOS Linux
host.architecture:
x86_64
host.name:
storage.localhost
host.id:
4aad5c78af8e4375975960456a480b00
host.containerized:
false
message:
Virtual Drive: 1 (Target Id: 1) State : Optimal
beat.version:
6.8.3
beat.name:
storage.localhost
beat.hostname:
storage.localhost
input.type:
log
prospector.type:
log
tags:
beats_input_codec_plain_applied, raid_grok_failure
offset:
72,920
source:
/var/log/mdstatevd1.log
type:
raid_log
_id:
TEH7320BpiL6ZVECyFmT
_type:
doc
_index:
filebeat-6.8.3-2019.10.18
_score:
-

also the output here shows "Virtual Drive: 1 (Target Id: 1) State : Optimal"

where as the output in the /var/log/messages on elastic shows.

"Virtual Drive: 1 (Target Id: 1)\tState : Optimal"

and i have tried both ways of matching and still same result.

anyone?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.