Logstash: grok pars failure with multiple custom patterns

erikkn · September 27, 2017, 2:07pm

Hi guys,

I am trying to pars a log file of ~500 lines to find the following two lines: flaked=yes && platform=aws so that I can add these lines as attributes for the given event/document.
The configuration (logstash.conf):

filter {
  grok {
    patterns_dir => ["/usr/local/src/logstash/pattern"]
    match => { "message" => "%{FLAKED:flaked} %{PLATFORM:platform}" }
    }
  }

My pattern file:
FLAKED flaked\s*=\s*.?$
PLATFORM platform\s=\s*.*?$

The configuration above results in the following error:
"tags" : [
"multiline",
"_grokparsefailure"
]

The expressions are correct, it is working perfectly fine if I just use/call one of them. Do you guys know what the problem is and how to solve it?

Thanks!

magnusbaeck · September 27, 2017, 8:07pm

Use a stdout { codec => rubydebug } output to show us exactly what the event you want to match look like.

system · October 25, 2017, 8:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parser for multiple line file Logstash	6	617	July 6, 2017
Multiline filter fails on one record when handling a large file Logstash	12	3283	July 6, 2017
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Grok pattern OK in debugger, but parse failure in logstash Logstash	5	740	March 25, 2020
Multiple patterns for Multiline Configuration? Logstash	3	1487	July 6, 2017

Logstash: grok pars failure with multiple custom patterns

Related topics