Seems to work fine here:
$ cat test.config
filter {
if [type] == "syslog" {
grok {
match => {
"message" => ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Launching batch job %{NUMBER:job_id} for UID %{POSINT:slurm_user_id}","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: launch task %{NUMBER:job_id} request from %{PROG:slurm_host} (\(port %{POSINT:slurm_port}\))","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: _run_prolog: run job script took usec=%{NUMBER:slurm_usec}","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: _run_prolog: prolog with lock for job %{POSINT:job_id} ran for %{NUMBER:slurm_time}"]
}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}
syslog_pri { }
if !("_grokparsefailure" in [tags]) {
mutate {
add_tag => "parsed_by_slurm_filter"
}
}
mutate {
rename => { "syslog_message" => "message" }
}
}
$ /opt/logstash/bin/logstash -f test.config --configtest
Configuration OK