Please, I need help with grok patterns

Elastic Stack Logstash
1

Hello! All right?

Please, I need help with grok patterns.
When I test with Dev Tools -> Grok Debugger it works perfectly, but when I include it in the logstash filter it returns _grokparsefailure.
Is there a way to capture _grokparsefailure response?
Below is my configuration.
Thanks for any help.

input {
kafka {
bootstrap_servers => "localhost:9092"
topics => "application"
tags => ["application"]
codec => json
}
}
filter {
if "application" in [tags] {
if [action][id] == "export_send" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "newValue" => "%{NEWVALUE}" }
}
mutate {
add_tag => [ "YES_Export" ]
}
}
}
}
output {
if "application" in [tags] {
#stdout { codec => "rubydebug"}
elasticsearch {
hosts => ["localhost:9200"]
index => "application-%{+YYYY}"
}
}
}

Pattern

cat patterns/application
NEWVALUE Output: %{DATA:output}\\nExport name: %{DATA:export_name}\\nExport file format: %{DATA:export_file_format}\\nAmount requested: %{DATA:amount_requested}\\n\\nLast balance: %{DATA:last_balance}\\nCurrent balance: %{DATA:current_balance}\\n\\nSearched fields and terms: %{DATA:search}\\n\\tIdentifiers: %{DATA:identifiers}\\n%{GREEDYDATA}

stdout { codec => "rubydebug"}

{
"action" => {
"id" => "export_send"
},
"input" => {
"type" => "log"
},
"restrict" => "{\n "outputId": "1",\n "pks": [\n "04475444000129"\n ]\n}",
"log" => {
"file" => {
"path" => "/home/fernandosilveira/audit/logs2/audit.json"
},
"offset" => 3049695
},
"client" => {
"name" => "QQ",
"id" => "2"
},
"id" => "5e3c695ede62250006c010a8",
"@timestamp" => 2020-02-06T19:31:13.083Z,
"fields" => {
"application" => "test"
},
"ecs" => {
"version" => "1.1.0"
},
"host" => {
"name" => "fernando"
},
"date" => "2020-02-06T19:30:38.499Z",
"@version" => "1",
"app" => {
"label" => "SearchBar",
"id" => "searchbar"
},
"newValue" => "Output: Export (1)\nExport name: test123\nExport file format: salesforce\nAmount requested: 1\n\nLast balance: 43087128\nCurrent balance: 43087127\n\nSearched fields and terms: \n\tIdentifiers: 04475444000129\n\n\n\n",
"user" => {
"username" => "XXXX@YYYY.com",
"id" => "5ac51bcbf623ed00057bf2ad",
"name" => "Fernando Silveira"
},
"agent" => {
"ephemeral_id" => "ffec81ae-cb49-4911-86c0-d873d499fb30",
"id" => "235312ef-7660-4f62-bc95-58f1bb8cd4e4",
"type" => "filebeat",
"version" => "7.5.2",
"hostname" => "fernando"
},
"address" => "ttt.ttt.ttt.ttt",
"tags" => [
[0] "application",
[1] "_grokparsefailure",
[2] "YES_Export"
]
}

2

When I run

input { generator { count => 1 lines => [ 'Output: Export (1)
Export name: test123
Export file format: salesforce
Amount requested: 1

Last balance: 43087128
Current balance: 43087127

Searched fields and terms:
    Identifiers: 04475444000129



' ] } }
filter {
    grok {
        match => {
            "message" => "Output: %{DATA:output}\\nExport name: %{DATA:export_name}\\nExport file format: %{DATA:export_file_format}\\nAmount requested: %{DATA:amount_requested}\\n\\nLast balance: %{DATA:last_balance}\\nCurrent balance: %{DATA:current_balance}\\n\\nSearched fields and terms: %{DATA:search}\\n\\tIdentifiers: %{DATA:identifiers}\\n%{GREEDYDATA}"
        }
    }
}
output { stdout { codec => rubydebug { metadata => false } } }

It works fine for me...

       "identifiers" => "04475444000129",
"export_file_format" => "salesforce",
       "export_name" => "test123",

etc. I suggest you read this.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.