Unable to extract fields from Message Using GROK Filter

Usman_Ismail · August 5, 2016, 3:51pm

I have a log file collected using a FileBeat that looks like:

10:21:38.014 DEBUG org.apache.zookeeper.ClientCnxn [main-SendThread(zookeeper3.piranhakik.com:2181)] - Got ping response for sessionid: 0x355bca8e39f0c51 after 0ms

I have GROK filter which is as follows:

filter {
  if [type] == "tigase-kik" {
    grok {
      match => { "message" => "%{TIGASEACCESS}" }
    }
  }
}
#pattern file
KIK_TIMESTAMP HH:mm:ss.SSS
REMAINING_LOG_MESSAGE (.*)
TIGASEACCESS %{KIK_TIMESTAMP:timestamp} %{LOGLEVEL:level} %{REMAINING_LOG_MESSAGE}

But am getting the following error

{
"message" => "11:48:08.472 DEBUG c.k.c.p.c.XXXXXX [pool-40-thread-1] - XXXXX XXX XXX XXXX",
"@version" => "1",
"@timestamp" => "2016-08-05T15:48:08.859Z",
"offset" => 101050837,
"input_type" => "log",
"count" => 1,
"type" => "tigase-kik",
"fields" => nil,
"beat" => {
"hostname" => "XXX.XXXX.com",
"name" => "XXXX.XXX.com"
},
"source" => "/opt/kik/XXXX/logs/XXXX-XXXX.log",
"host" => "XXXX.XXXXX.com",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
]
}

How do I go about testing the grok definition and any idea whats going wrong for me?

apelsina · August 5, 2016, 4:44pm

Have you tried the Grok Debugger? https://grokdebug.herokuapp.com/
And here are some default grok patterns, it may be helpful https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns