Rovided Grok patterns do not match data in the input, create array for each field while it's a string

-csv exemple:

A;B;C
as991m;tr;lbr-expl/trd/jcl/as991m
as991mb;tr;lbr-expl/trd/jcl/as991mb
as991t;tr;lbr-expl/trd/jcl/as991t
as991tb;tr;lbr-expl/trd/jcl/as991tb
as991w;tr;lbr-expl/trd/jcl/as991w
as991wb;tr;lbr-expl/trd/jcl/as991wb
atrad;trd,trd,trd,trd,trd,trd,tr;lbr-expl/trd/jcl/anom,lbr-expl/trd/jcl/apren,lbr-expl/trd/jcl/avoie,lbr-expl/trd/jcl/avoieb,lbr-expl/trd/jcl/apays,lbr-expl/trd/jcl/aprof,lbr-expl/trd/jcl/atabval

-logstash config:

input {
	file {
		path => "c:/elk/csv/opnsutil.csv"
		start_position => "beginning"
		sincedb_path => "NUL"
	}
}

filter {
   csv {
      separator => ";"
	  skip_header => "true"	  
	  columns => ["A","B","C"]
	}
	mutate {
		gsub => ["event.original", "\r", ""]
	}
	grok {
        match => { "message" => "%{WORD:A};%{WORD:B};%{GREEDYDATA:C}" }
    }
	
	mutate {
		gsub => ["message", ";;\r", ""]
	}
	
	mutate {
		gsub => ["message", "\r", ""]
	}
	
	
	if ![message] {
        drop { }
	}


	mutate {
		remove_field => ["@timestamp","path","host","@version"]
	}
}

output {
  elasticsearch {
    hosts => ["http://10.0.203.62:9200"]
	data_stream => false
    index => "jcl-opnsutil"
  }
  stdout {
    codec => rubydebug
    }
}

-Result:

{
              "C" => [
        [0] "lbr-expl/trd/jcl/ut991m",
        [1] "lbr-expl/trd/jcl/ut991m\r"
    ],
             "event" => {
        "original" => "ut991m;tr;lbr-expl/trd/jcl/ut991m\r"
    },
           "message" => "ut991m;tr;lbr-expl/trd/jcl/ut991m",
       "B" => [
        [0] "tr",
        [1] "tr"
    ],
               "log" => {
        "file" => {
            "path" => "c:/elk/csv/opnsutil.csv"
        }
    },
    "A" => [
        [0] "ut991m",
        [1] "ut991m"
    ]
}

Why ?
Thanks

Didn't get the why but replacing by kv{}, it works

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.