Trouble parsing this statement - help with grok expression

jjdepaul · February 23, 2016, 1:59pm

LogStash 2.0.0 on Window7 (and cygwin). I have the following grok expression:

Customer Account Number=%{NOTSPACE:accountId} Contract Number=%{NOTSPACE:cftsContractNumber} Work Number=%{NOTSPACE:cftsWorkNumber} Status=%{GREEDYDATA:cftsStatus} (cftsFileName=%{GREEDYDATA:cftsFilename})? (emailRecipients=%{GREEDYDATA:emailRecipients})?

Here is the input log line.... not sure why it's not working and not sure how to get rid of all of the GREEDYDATA patterns and still be able to parse it properly. Log data:

Customer Account Number=352784 Contract Number=ES00104293 Work Number=P033629 Status=Success cftsFileName=/web/cftsftp_emea/cftscron/fromcfts/gbi_output_ALL_ALL_IC2ECFTS_001044.xml emailRecipients=email1,email2, email3, email4

I've tried debugging it - it has trouble somewhere in the Work Number expression... no idea why.

Kryten · February 23, 2016, 6:12pm

Hi,
You could try replacing your grok expression with this:-

Customer\sAccount\sNumber\=(?<customer_account_number>\d*)\sContract\sNumber\=(?<contract_number>\w*)\sWork\sNumber\=(?<work_number>\w*)\sStatus\=(?<status>\w*)\scftsFileName\=(?<cfts_filename>.*?(?=\s))\semailRecipients\=(?<email_recipients>.*)

magnusbaeck · February 23, 2016, 6:30pm

Be systematic. Start with the simplest possible expression,

Customer Account Number=%{NOTSPACE:accountId}

and verify that it works. Add the next token,

Customer Account Number=%{NOTSPACE:accountId} Contract Number=%{NOTSPACE:cftsContractNumber}

and continue until it stops working.

I'd be very careful about those GREEDYDATA patterns, some of which are optional. It'll almost certainly not work as expected.

Also, the spaces surrounding the optional tokens are incorrect. Follow this pattern instead:

%{A:b}( %{C:d})?( %{E:f})?

jjdepaul · February 23, 2016, 6:52pm

Thank you to both. It worked, with a minor tweak.