Hi, I'm just "training" with grok pattern, and with this log file :
Apr 17 14:26:49 192.168.0.61 firewall 514865 11:12:13:14:15:16 abcd123|-=.>
If I do : grok { match => { ["message", "%{SYSLOGTIMESTAMP:date} %{IP:ip}"] }
}
It works. But if I add %{WORD:service} to the line, it stop working.
Why ? 
What result do you get with this configuration?
input { generator { count => 1 message => 'Apr 17 14:26:49 192.168.0.61 firewall 514865 11:12:13:14:15:16 abcd123' } }
filter { grok { match => ["message", "%{SYSLOGTIMESTAMP:date} %{IP:ip} %{WORD:service}"] } }© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.