The grok part from logstash didn't take effect in elasticsearch

Below is my logstash config:

And I find only the document_type is effect after I start the logstash. I go to elasticsearch: hostname:9200/indexName and find as below:

So I find the grok part didn't take effect. Is there anything can help to debug or any other idea?

Notes: I have check all the logs but no erro or warning.

I have restart the ELK part but also the same behavior.

I debug run logstash and find this as below;

Any idea about this issue?

Yes, I think I got why can't parsing as Filter config. My origin log will not generate as grok format. So it can't match with grok.
My question is: How to intellect matching the logs with diff format in logs? use condition? But how to use it?

Don't use grok to parse JSON! Use a json filter or json codec.

Thanks, But my log have diff format of json. How to handle that.
For example: 2 types
1.{"elapsed time":40.666,"executed by":{"user":"Administrator","password":"Welcome1"},"request":{"method":"POST","uri":"jobs","payload":{"jobtype":"Import","parameters":{"zipFileName":""}}}}

2.{"elapsed time":2.666, "request":{"method":"POST","uri":"jobs","payload":{"application":"ASmp","db":"Sample","jobtype":"maxl","parameters":{"script":"createfilters_ASmp.msh"}}}}

I will hit [1] "_jsonparsefailure" during the log format as:
{"elapsed time":40.666,"executed by":{"user":"Administrator","password":"Welcome1"},"request":{"method":"POST","uri":"jobs","payload":{"jobtype":"Import","parameters":{"zipFileName":""}}}}

But does this is also a json format?

I mean if there is non-standard json format in my log. Then how to deal with that?

In your first example, the colon after "request" isn't actually a colon but some other character that looks like a colon. Your second example doesn't have that problem.

Apart from that those JSON strings are fine.


I have to verify my json is valid here:

{"elapsed time":40.666,"executed by":{"user":"BDServiceAdministrator","password":"Welcome1"},"request":{"method":"POST","uri":"jobs","payload":{"jobtype":"lcmImport","parameters":{"zipFileName":""}}}}

but my logstash still can't parse it, logstash point to line line 1 column 16 which always point to "elapsed time":40.666, I try to remove it and re-parsing but will point to next one "executed by":


I find this
which is said empty key is valid in json but logstash can't parsing it. So I change my json format to


And logstash can parsing successful. But the my second json format didn't have this issue.

Second format as:
{"elapsed time":0.675, "request":{"method":"PUT","uri":"files/applications/ASOsamp/Sample/createfilters_ASOsamp.msh?overwrite=true"}}
it always works well. Do you know why?

If I copy/paste the JSON string above into it works just fine.

Yes, It work find and valid. But for logstash parse part it will failed.

Works fine for me with Logstash 6.1:

$ cat test.config 
input { stdin { codec => json_lines } }
output { stdout { codec => rubydebug } }
$ cat data 
{"elapsed time":40.666,"executed by":{"user":"BDServiceAdministrator","password":"Welcome1"},"request":{"method":"POST","uri":"jobs","payload":{"jobtype":"lcmImport","parameters":{"zipFileName":""}}}}
$ logstash -f test.config < data
Sending Logstash's logs to /home/magnus/logstash/logstash-6.1.0/logs which is now configured via
[2018-07-24T11:39:58,360][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/home/magnus/logstash/logstash-6.1.0/modules/fb_apache/configuration"}
[2018-07-24T11:39:58,372][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/home/magnus/logstash/logstash-6.1.0/modules/netflow/configuration"}
[2018-07-24T11:39:58,778][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-07-24T11:39:59,313][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.1.0"}
[2018-07-24T11:39:59,765][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2018-07-24T11:40:02,160][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000, :thread=>"#<Thread:0x1bc2d1a0 run>"}
[2018-07-24T11:40:02,224][INFO ][logstash.pipeline        ] Pipeline started {""=>"main"}
[2018-07-24T11:40:02,363][INFO ][logstash.agent           ] Pipelines running {:count=>1, :pipelines=>["main"]}
     "executed by" => {
        "password" => "Welcome1",
            "user" => "BDServiceAdministrator"
        "@version" => "1",
      "@timestamp" => 2018-07-24T09:40:02.376Z,
            "host" => "bertie",
    "elapsed time" => 40.666,
         "request" => {
            "uri" => "jobs",
        "payload" => {
               "jobtype" => "lcmImport",
            "parameters" => {
                "zipFileName" => ""
         "method" => "POST"
[2018-07-24T11:40:03,004][INFO ][logstash.pipeline        ] Pipeline terminated {""=>"main"}

Thanks, I am failed with below json but not the one which you use. Could you help to use below json to take a try in 6.1? I am working with 5.6.3, I think it doesn't matter with diff version.

{"elapsed time":40.666,"executed by":{"user":"Administrator","password":"Welcome1"},"request":{"method":"POST","uri":"jobs","payload":{"jobtype":"Import","parameters":{"zipFileName":""}}}}

As I said earlier, the colon after "request" isn't actually a colon but some other character that looks like a colon. To be extremely explicit:

             ----- this is not a colon

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.