Result different between grok debugger and grok logstash

Hey everybody,

I try to parse this log line :

*       /data/EDT/batchs/files/logs/E-0001MT-20180423-20180424-0050.log          *

My grok :

(?<NOM_BATCH>E-[0-9A-Z]+)-%{BASE16NUM:DATE_JOURNEE_BATCH}-%{BASE16NUM:DATE_EXECUTION_BATCH}-%{BASE16NUM:HEURE_EXECUTION_BATCH}

The Grok Debugger result :

{
  "NOM_BATCH": [
    "E-0001MT"
  ],
  "DATE_JOURNEE_BATCH": [
    "20180423"
  ],
  "DATE_EXECUTION_BATCH": [
    "20180424"
  ],
  "HEURE_EXECUTION_BATCH": [
    "0050"
  ]
}

Everything is correct, but when I parse with logstash this is the result :

logstash bug parse.JPG1124×268 31.7 KB

  "NOM_BATCH"             => "0001MT"
  "DATE_JOURNEE_BATCH"    => "20180423"
  "DATE_EXECUTION_BATCH"  => "20180424"
  "HEURE_EXECUTION_BATCH" => "0050"

The "E-" of "NOM_BATCH" field has disappear. Why logstash debugger is true when logstash grok is wrong ?

Anybody Can help me ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.