Same pattern file gives pattern not define for only one pattern

SashaAlex · June 4, 2018, 7:15am

I have following pattern file.
CPAT ([\w-]+)
FRDOM ([\w-]+)
DEVC ([\w]+)

I had given permission for pattern file. but it gives the following error.

Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{CPAT:devicename} not defined>

my filter is like this.
grok{
patterns_dir => ["/etc/logstash/pattern.d"]
match => { "message" => "%{CISCOTIMESTAMP:timestamp} %{IP:serverip}.%%{DEVC:dev}.%{DEVC:devnum}.%{DEVC:status}: Device('%{CPAT:devicename}'/'%{CPAT:device}'/%{CPAT:devicemac}. at %{FRDOM:dom}.'%{FRDOM:rfdomain}" }
}

Badger · June 4, 2018, 2:59pm

In 6.2.4, with that filter (provided you add a backslash between Device and the parenthesis) I do not get an error. Can you re-post the match line from the grok filter with 4 leading spaces like this:

match => { "message" => "%{CISCOTIMESTAMP:timestamp} %{IP:serverip}.%%{DEVC:dev}.%{DEVC:devnum}.%{DEVC:status}: Device\('%{CPAT:devicename}'/'%{CPAT:device}'/%{CPAT:devicemac}. at %{FRDOM:dom}.'%{FRDOM:rfdomain}" }

BTW, do you really want %% before the first DEVC?

system · July 2, 2018, 2:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.