Logstash grok regex bug?

elasticnubie · June 17, 2019, 12:42am

Logstash grok regex match result is not same with Kibana Grok Debugger.
(I think Kibana Grok Debugger's result is correct.)

Is there my fault? or is it grok's bug?

Filebeat Config

filebeat.inputs:
- type: log
  paths:
    - C:/filebeat/smtp.log
  multiline.pattern: 'SMTP Server: Originator'
  multiline.negate: true
  multiline.match: after
  multiline.flush_pattern: 'SMTP Server: Message'

Logstash Config

filter {
    grok {
        match => {
            "message" => "\[.*\] (?<timestamp>\d{4}-\d{2}-\d{2} (?:AM|PM) \d{2}:\d{2}:\d{2})  SMTP Server: Originator: (?<sender>.*?)\n(?<temp_receiver>(?:.*SMTP Server: Recipient: .*\n)+)(?:.*\n)*(?:.*SMTP Server: Message.*size (?<size>.*))"
        }
    }
}

Logstash Debug Output

Kibana Grok Debugger Result

How can I get a same result with kibana grok debugger in logstash grok?
plz, help me~

Badger · June 17, 2019, 12:56pm

Please do not post pictures of text, just post the text.

system · July 15, 2019, 12:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
My grok debugger pattern output doesn't look like the kibana output! Kibana	5	373	May 6, 2019
Logstash output not the same as grok debugger Logstash	13	662	May 7, 2019
Grok on logstash not working, but working on grokdebugger Logstash	2	641	February 5, 2018
Grok debugger parse problem Kibana	2	292	May 20, 2021
Logstash grok parse failure, while kibana grok debugger works fine Logstash	2	660	March 21, 2020

Logstash grok regex bug?

Related topics