Logstash grok is failing to parse greedydata inside conditional statement

Elastic Stack Logstash
1

I am having a logs pattern as below

2018-05-04 06:30:00.010 [http-nio-6080-exec-6] INFO .Controller - Processing request 16329d7d247 from 10.209.15.10: /uri/64511/5800/
2018-05-04 06:30:00.007 [http-nio-6080-exec-7] INFO .Controller - Finished processing request 16329d7d247: status 200, body [1010], took 0ms

and i waned to grok the date differently depending on keyword in log as -Processing/ -Finished. Below is my grok filter.

grok {
  match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{SYSLOG5424SD} %{LOGLEVEL:loglevel}  %{JAVACLASS} - %{WORD:processing} %{GREEDYDATA:log_message}" }
}
if [processing] == "Processing" 
{
   grok {
      match => ["log_message","request (?<requestID>[0-9a-z]) from %{IP:clientIP}/: %{URIPATHPARAM: uri}"]
   }
}
else
{
   grok{
      match => ["log_message", "processing request (?<requestID>[0-9a-z])\: status %{WORD:response}, body \[%{WORD:response_size}\]"]
   }
}

When running logstash with this config I am able to see the indexes getting created for the 1st grok(outside the if statement) but the indexes inside the if statement are not getting created.

Can someone please help whether i am doing anything wrong.

Thanks
Sriram

2

Should the forward slash be there?

Should there be a backslash before the colon here?

3

Hi Christian,

Thanks for pointing out I tried altering to %{IP:clientIP}: and for (?[0-9a-z]):

still no success, the grokking inside the if loop didnt happen

4

Please show an example event produced by Logstash. Use a stdout { codec => rubydebug } output.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.