Hi everyone,
would be really gratefull for any ideas how to solve the following issue. I have defined a regex pattern for a multiline log and checked its output in Logstash, everything looks correct. But once I send data to ElasticSearch and create Kibana index pattern, I get "_grokparsefailure" for the same data. My assumption is that in Logstash new line is separated with \r\n and when I check the same failure message in Kibana, new line is separated with \n. I compared this using GROK debugger in Kibana and there \n works and \r\n doesn't. I tried to include into the pattern condition (\r\n|\n) but it didn't work either. I have windows and need to extract the number at the end "TPP".
Thanks for any ideas!
Here is my code:
%{TIMESTAMP:ts} %{WORD:st} %{DATA:num} %{DATA:message_1} \- (?<message_2>[^\,]*)\((?<fieldname>[^)]*\)\,(\n|\r\n))\((?<fieldname1>[^)]*\)\,(\n|\r\n))\((?<fieldname2>[^)]*\)\,(\n|\r\n))\(%{WORD:fieldname3}\=%{NUMBER:TPP}