Logstash Null Value

Kishore · July 21, 2016, 10:10am

I want to display null value from the below log in Kibana.
"Roles changed for user 'AIPTEST\geetanjali.j.podal' from "" to "ContentAdmin""

I can able to capture at 'https://grokdebug.herokuapp.com/' by using below Patterns and not able to capture through logstash config and Kibana as well.

"(?<role_type>\b\w+\b\s\b\w+\b) for user '%{WORD:domain}\%{USERNAME:role_changed_for}' from \"(?<role_from>.*)\" to \"(?<role_to>.*)\"\t%{USERNAME:id6}"

Result looks like this when i debug at 'https://grokdebug.herokuapp.com/'
"role_from": [
[
""
]
],
"role_to": [
[
"ContentAdmin"
]indent preformatted text by 4 spaces

magnusbaeck · July 21, 2016, 6:33pm

Please format your regular expression as code so it doesn't get mangled.

Kishore · July 22, 2016, 6:47am

Hi Magnus,

Thanks for your response, i am not clear about what your referring, you mean custom pattern?

If custom pattern please help me in doing.

magnusbaeck · July 22, 2016, 8:03am

Your regular expression has (most likely) been screwed up when you posted here since sequences like <whatever> are replaced with an empty string. Please edit your post, select the regular expression, and click the </> button in the toolbar. I don't want to guess what your regular expression looks like.

Kishore · July 22, 2016, 8:12am

I did, as you mentioned

magnusbaeck · July 22, 2016, 8:42am

You didn't format the whole expression as code so I still had to hand edit it to get it to work.

This works with the example input that you provided:

filter {
  grok {
    match => ["message", "(?<what>\b\w+\b\s\b\w+\b) for user '%{WORD:domain}\\%{USERNAME:role_changed_for}' from \"(?<role_from>.*)\" to \"(?<role_to>.*)\""]
    keep_empty_captures => true
  }
}

The keep_empty_captures option is the key.