Timeout executing grok 5.4.3

Hi,

I send with Filebeat the file
/usr/local/tomcat/current/logs/filieredistribution_vodpublish.log
in Logstash.

I want to extract the filename without extension like this :

  grok {
          match => { "source" => [ "%{PATH}/%{GREEDYDATA:logfile}\." ] }
  }

When I try on https://grokdebug.herokuapp.com/, it's ok :

{
  "UNIXPATH": [
    [
      "/usr/local/tomcat/current/logs"
    ]
  ],
  "logfile": [
    [
      "filieredistribution_vodpublish"
    ]
  ]
}

but in Logstash, I have this error :

[2017-07-07T09:22:22,333][WARN ][logstash.filters.grok    ] Timeout executing grok '%{UNIXPATH}/%{GREEDYDATA:logfile}\.' against field 'source' with value '/usr/local/tomcat/current/logs/filieredistribution_vodpublish.log'!
[2017-07-07T09:22:22,333][WARN ][logstash.filters.grok    ] Timeout executing grok '%{UNIXPATH}/%{GREEDYDATA:logfile}\.' against field 'source' with value '/usr/local/tomcat/current/logs/filieredistribution_vodpublish.log'!

I use Logstash and FileBeat in version 5.4.3.

I don't understand, can you help me ?

Thanks

If I rename the file filieredistribution_vodpublish.log in filier_publish.log, I don't have error.
And I can see the field logfile :

"_source": {
             ...
              "offset": 16179,
              "level": "INFO",
              "logfile": "filier_publish",
              "input_type": "log",
              "source": "/usr/local/tomcat/current/logs/filier_publish.log",
              ...
}

Somebody can explain me where is the problem ?

I changed the way to find the filename of my logs :

grok {
       match => { "source" => [ "%{PATH}/%{GREEDYDATA:logfile}\." ] }
}

in

ruby {
      code => "
            filename = event.get('[source]').split('/').last
            event.set('logfile',filename.split('.').first)
       "
}

It's much faster !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.