Logstash Grok Filter Error Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\"

Hello Logstash Community,

I am trying to parse text below. I was able to filter it in grokdebug site. But however i can't filter in logstash. It throws this. "LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", [A-Za-z0-9_-], '"', "'", [A-Za-z_], "-", [0-9], "[", "{" at line 13, column 26 .

    2021-04-10 15:37:36,194 [7] DEBUG Default [(null)] - TranDate=04/10/2021|Message=*****|HasException=0|ExceptionMessage=|CommunicationKey=0|BusinessKey=0|ResourceCode=|ResourceId=0|ActionId=0|TranBranchId=|ChannelId=***|LanguageId=1|UserName=***|HostName=***|HostIP=***|ServerName=***|ApplicationSide=1|SystemDate=04/10/2021 15:37:36| 
    2021-04-10 15:37:36,394 [9] DEBUG Default [(null)] - TranDate=04/10/2021|Message=*****|HasException=0|ExceptionMessage=|CommunicationKey=0|BusinessKey=0|ResourceCode=|ResourceId=0|ActionId=0|TranBranchId=|ChannelId=***|LanguageId=1|UserName=***|HostName=***|HostIP=***|ServerName=***|ApplicationSide=1|SystemDate=04/10/2021 15:37:36| 

My Filter

    filter {
      grok{
    	match => { "message" => %{TIMESTAMP_ISO8601:timestamp} \[%{DATA:gereksiz}\] %{LOGLEVEL:log-level} %{DATA:gereksiz2} \[%{DATA:gereksiz3}\] %{DATA:gereksiz4}%{DATA:gereksiz5}- (?<TranDate>([TranDate]*=[a-zA-Z0-9\- : \/]*))(?<Message>([|Message]*=[a-zA-Z0-9\- : \/]*))(?<HasException>([|HasException]*=[a-zA-Z0-9\- : \/]*))(?<ExceptionMessage>([|ExceptionMessage]*=[a-zA-Z0-9\- : \/]*))(?<CommunicationKey>([|CommunicationKey]*=[a-zA-Z0-9\- : \/]*))(?<BusinessKey>([|BusinessKey]*=[a-zA-Z0-9\- : \/]*))(?<ResourceCode>([|ResourceCode]*=[a-zA-Z0-9\- : \/]*))(?<ResourceId>([|ResourceId]*=[a-zA-Z0-9\- : \/]*))(?<ActionId>([|ActionId]*=[a-zA-Z0-9\- : \/]*))(?<TranBranchId>([|TranBranchId]*=[a-zA-Z0-9\- : \/]*))(?<ChannelId>([|ChannelId]*=[a-zA-Z0-9\- : \/]*))(?<LanguageId>([|LanguageId]*=[a-zA-Z0-9\- : \/]*))(?<UserName>([|UserName]*=[a-zA-Z0-9\- : \/]*))(?<HostName>([|HostName]*=[a-zA-Z0-9\- : \/]*))(?<HostIP>([|HostIP]*=[a-zA-Z0-9\- : \/]*))(?<ServerName>([|ServerName]*=[a-zA-Z0-9\- : \/]*))(?<ApplicationSide>([|ApplicationSide]*=[a-zA-Z0-9\- : \/]*))(?<SystemDate>([|SystemDate]*=[a-zA-Z0-9\- : \/]*)) } 
      }
      date {
    	match => [ "timestamp", "ISO8601" ]
    	}
    }

There is a error with my grok filter syntax but i can't figure it out.

it does indicate that in line 13 col 26 is having some syntax issue.

looking at this line,

    	match => { "message" => %{TIMESTAMP_ISO8601:timestamp} \[%{DATA:gereksiz}\] %{LOGLEVEL:log-level} %{DATA:gereksiz2} \[%{DATA:gereksiz3}\] %{DATA:gereksiz4}%{DATA:gereksiz5}- (?<TranDate>([TranDate]*=[a-zA-Z0-9\- : \/]*))(?<Message>([|Message]*=[a-zA-Z0-9\- : \/]*))(?<HasException>([|HasException]*=[a-zA-Z0-9\- : \/]*))(?<ExceptionMessage>([|ExceptionMessage]*=[a-zA-Z0-9\- : \/]*))(?<CommunicationKey>([|CommunicationKey]*=[a-zA-Z0-9\- : \/]*))(?<BusinessKey>([|BusinessKey]*=[a-zA-Z0-9\- : \/]*))(?<ResourceCode>([|ResourceCode]*=[a-zA-Z0-9\- : \/]*))(?<ResourceId>([|ResourceId]*=[a-zA-Z0-9\- : \/]*))(?<ActionId>([|ActionId]*=[a-zA-Z0-9\- : \/]*))(?<TranBranchId>([|TranBranchId]*=[a-zA-Z0-9\- : \/]*))(?<ChannelId>([|ChannelId]*=[a-zA-Z0-9\- : \/]*))(?<LanguageId>([|LanguageId]*=[a-zA-Z0-9\- : \/]*))(?<UserName>([|UserName]*=[a-zA-Z0-9\- : \/]*))(?<HostName>([|HostName]*=[a-zA-Z0-9\- : \/]*))(?<HostIP>([|HostIP]*=[a-zA-Z0-9\- : \/]*))(?<ServerName>([|ServerName]*=[a-zA-Z0-9\- : \/]*))(?<ApplicationSide>([|ApplicationSide]*=[a-zA-Z0-9\- : \/]*))(?<SystemDate>([|SystemDate]*=[a-zA-Z0-9\- : \/]*)) } 

it is pointing to start of your grok pattern, did you happened to miss out the quotation mark( " " )?

Hope this can helps you!

Thanks that worked! All that regex patterns confused me

Glad that I could help

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.