Logstash Grok New Line Syntax

userR · July 25, 2019, 1:00am

Hi,

I am attempting to parse log data that are on different lines. When its read through filebeat and sent to logstash, the message contains \n. Unfortunetly, I am unable to deal with this and am getting an error when I parse it like this:

Badger · July 25, 2019, 12:37pm

Use a literal newline in the configuration to match a multiline pattern, like this.

userR · July 25, 2019, 5:29pm

The following doesn't work either. Is that what you meant?

Badger · July 25, 2019, 5:59pm

If your events contain newline then you need a literal newline in the pattern. However, if your events contain \n then you would use \\n.

userR · July 25, 2019, 6:16pm

My event contains a literal newline. However, when I output my logstash output to the console, I see \n in the "message" field.
I just adjusted my config syntax to this:

grok {
      match => [
        "message", "(?<logdate>[A-Z]{1}[a-z]{2} [0-9]{2}, [0-9]{4} [0-9]{1}:[0-9]{2}:[0-9]{2} [A-Z]{2}) %{NOTSPACE:requestpath} %{WORD:word}                                                                    
        %{WORD:status}%{GREEDYDATA:data}",

This unfortunately does not correctly parse the data.

Badger · July 25, 2019, 6:22pm

Shouldn't that be

    grok {
        match => [ "message", "(?<logdate>[A-Z]{1}[a-z]{2} [0-9]{2}, [0-9]{4} [0-9]{1}:[0-9]{2}:[0-9]{2} [A-Z]{2}) %{NOTSPACE:requestpath} %{WORD:word} 
%{WORD:status}%{GREEDYDATA:data}",

?

userR · July 25, 2019, 6:29pm

I believe either format works. Just adjusted to your format and it is still not being parsing correctly. However, I tried the //n and am having a tricky issue:

However, this parses correctly if I take out status:

edit: And when I do the following, I get a grokparsefailure:

"message", "(?<logdate>[A-Z]{1}[a-z]{2} [0-9]{2}, [0-9]{4} [0-9]{1}:[0-9]{2}:[0-9]{2} [A-Z]{2}) %{NOTSPACE:requestpath} %{WORD:word}\\n%{GREEDYDATA:data}"
It parses correctly up until the \n. So while the grok debugger is showing that it should be parsing correctly, it actually is not occuring when I run logstash

userR · July 25, 2019, 7:44pm

This is also another configuration that works in the debugger, but not when I run logstash

Badger · July 25, 2019, 8:37pm

What is the text you are trying to match against?

userR · July 25, 2019, 8:55pm

Mar 05, 2019 3:23:14 AM pluggin word\nWARNING: datadata

I ended up using gsub to drop "\n" and replace it with a space. From there, I was able to configure a pattern that worked.
"message", "(?<logdate>[A-Z]{1}[a-z]{2} [0-9]{2}, [0-9]{4} [0-9]{1}:[0-9]{2}:[0-9]{2} [A-Z]{2}) %{NOTSPACE:requestpath} %{WORD:word} %{WORD:status}: %{GREEDYDATA:data}",

Still a little weird as to why the debugger would say it was parsed correctly while logstash would throw a grokparsefailure error.

Anyways, appreciate the help. Here is the mutate gsub I used for reference.
mutate {gsub =>["message", "[\n]"," "]}

Badger · July 25, 2019, 9:05pm

Do you have config.support_escapes enabled?

Anyways, I think the problem was the trailing space at the end of the first line of your pattern.

userR · July 25, 2019, 9:11pm

That seems to be the issue, I had it set to false.

system · August 22, 2019, 9:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.