Same pattern file gives pattern not define for only one pattern

SashaAlex · June 4, 2018, 7:15am

I have following pattern file.
CPAT ([\w-]+)
FRDOM ([\w-]+)
DEVC ([\w]+)

I had given permission for pattern file. but it gives the following error.

Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{CPAT:devicename} not defined>

my filter is like this.
grok{
patterns_dir => ["/etc/logstash/pattern.d"]
match => { "message" => "%{CISCOTIMESTAMP:timestamp} %{IP:serverip}.%%{DEVC:dev}.%{DEVC:devnum}.%{DEVC:status}: Device('%{CPAT:devicename}'/'%{CPAT:device}'/%{CPAT:devicemac}. at %{FRDOM:dom}.'%{FRDOM:rfdomain}" }
}

Badger · June 4, 2018, 2:59pm

In 6.2.4, with that filter (provided you add a backslash between Device and the parenthesis) I do not get an error. Can you re-post the match line from the grok filter with 4 leading spaces like this:

match => { "message" => "%{CISCOTIMESTAMP:timestamp} %{IP:serverip}.%%{DEVC:dev}.%{DEVC:devnum}.%{DEVC:status}: Device\('%{CPAT:devicename}'/'%{CPAT:device}'/%{CPAT:devicemac}. at %{FRDOM:dom}.'%{FRDOM:rfdomain}" }

BTW, do you really want %% before the first DEVC?

system · July 2, 2018, 2:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline aborted due to error.PatternError: pattern %{REMOTEIP:remoteip} not defined> Logstash	1	274	October 21, 2019
Pattern not defined even though the first matches Logstash	2	1076	September 4, 2017
Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{CISCOTIMESTAMPTZ:log_date} not defined> Logstash	5	13077	February 9, 2018
Pattern not defined grok error Elastic Stack	1	362	November 4, 2022
Grok multiple pattern definitions Logstash	3	3480	December 7, 2020

Same pattern file gives pattern not define for only one pattern

Related topics