Logstash issue with %{UNIXPATH} in version 1.5.5 and up

In our (grok) logstash configuration we use a matching pattern like
with example log file entry
file path /opt/foo/bar/file.xml found

Until version 1.5.4 i get a field "filename" with value "/file.xml".

Since version 1.5.5 (and 1.5.6) the log line will not be parsed at all. My logstash just hangs.
The same behaviour appears in logstash 2.1.1 (!).

This seems a change in behaviour in logstash since version 1.5.4.
Is this a desired behaviour or simply a bug?

Works fine for me, except that it doesn't match the right thing, but that's expected given the rather weird expression with two consecutive UNIXPATH patterns.

$ cat test.config 
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => ["message", "%{UNIXPATH}%{UNIXPATH:filename}"]
$ echo 'file path /opt/foo/bar/file.xml found' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
       "message" => "file path /opt/foo/bar/file.xml found",
      "@version" => "1",
    "@timestamp" => "2015-12-14T12:40:18.933Z",
          "host" => "lnxolofon",
      "filename" => "/file.xml"
Logstash shutdown completed

Hi Magnus,
thanks for your response.

Well, this is embarrassing :wink:
In my old terminal window it still does not work, i don't know why (there i have the same behaviour as originally described).
Then, i opened a new terminal window and tried again, and it worked, hmmm, strange.

Thanks for the quick response.

Best regards,

Hi again,

your test above works for me.
My production log file still doesn't with logstash 1.5.5/6.
Logstash just stops parsing at the line with %{UNIXPATH}%{UNIXPATH}.