Newbie assistance with grok

Lexa · March 15, 2017, 7:23pm

Hello,

I am new to logstash and struggling with custom grok.

I have a log file that has a series of bracket bound fields that I am trying to parse with kv. However, clearly I do not understand how to do this as, it is not processing my kv fields.

Here is my filter

filter {
if [type] == "my-pixi-service" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => ["message", "%{MPS}"]
add_tag => ["mps" , "grokked" ]
}
kv {
source => "keyvalues"
field_split => "]["
remove_field => ["keyvalues"]
add_tag => ["taggedy_tag"]
}
}
}

Here is my pattern
MPS %{DATESTAMP:event_time} %{LOGLEVEL:log_level} %{GREEDYDATA:keyvalues}

The result is that is that I am getting the "keyvalues" field but, it is not executing the "kv" function. The keyvalues field is not being removed and the tag is not present.

I would greatly appreciate any assistance and guidance!

magnusbaeck · March 15, 2017, 7:47pm

Please show an example log line.

Lexa · March 16, 2017, 8:05pm

Hi,

Thank you for the reply. I was able to get assistance in the freenode channel.

Thank you!

system · April 13, 2017, 8:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Disapearing fields during kv parsing Elasticsearch	2	266	December 29, 2021
Grok filter server logs with kv plugin Logstash	5	389	June 12, 2018
Parsing an array of KV pairs Logstash	2	495	February 21, 2019
Logstash KV parsing : k=field, v=value Logstash	5	440	June 6, 2018
KV filter trim with regex Logstash	4	2059	March 4, 2017

Newbie assistance with grok

Related topics