Newbie assistance with grok

Lexa · March 15, 2017, 7:23pm

Hello,

I am new to logstash and struggling with custom grok.

I have a log file that has a series of bracket bound fields that I am trying to parse with kv. However, clearly I do not understand how to do this as, it is not processing my kv fields.

Here is my filter

filter {
if [type] == "my-pixi-service" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => ["message", "%{MPS}"]
add_tag => ["mps" , "grokked" ]
}
kv {
source => "keyvalues"
field_split => "]["
remove_field => ["keyvalues"]
add_tag => ["taggedy_tag"]
}
}
}

Here is my pattern
MPS %{DATESTAMP:event_time} %{LOGLEVEL:log_level} %{GREEDYDATA:keyvalues}

The result is that is that I am getting the "keyvalues" field but, it is not executing the "kv" function. The keyvalues field is not being removed and the tag is not present.

I would greatly appreciate any assistance and guidance!

magnusbaeck · March 15, 2017, 7:47pm

Please show an example log line.

Lexa · March 16, 2017, 8:05pm

Hi,

Thank you for the reply. I was able to get assistance in the freenode channel.

Thank you!

system · April 13, 2017, 8:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Disapearing fields during kv parsing Elasticsearch	2	266	December 29, 2021
Kvpairs where one of the values is a JSON structure Logstash	9	2573	July 6, 2017
Kv filter value is not always correctly extracted using value_split_pattern Logstash	5	689	December 4, 2018
QUESTION ABOUT "LOGSTASH GROK MATCH" WITH ARRAY Logstash	4	1282	May 27, 2019
Grok Pattern to extract brackets content Logstash	5	2564	November 7, 2018

Newbie assistance with grok

Related Topics