What is wrong in my grok filter work for logstash?

ndarkness · October 21, 2016, 8:31am

I would like to create a grok filter in Logstash to set as field, a concrete part of a syslog message TTN-GW string should be that field, the sort of message that is being sent to Logstash is as follows ( it comes from a syslog)

Oct 21 09:47:12 aaaa TTN-GW[1401]: #033[90m DEBUG#033[0m Handle stat #033[90mGatewayID#033[0m=SFDEGFKKGRSDFEEE #033[90madapter#033[0m=gateway-semtech

My grok filter looks like this, I have created it modifying a syslog filter (shown below),

    filter {
      if [type] == "TTN" {
        grok {
    
          match => { "message" => "%{DATE:date} %{SYSLOGHOST:syslog_hostname} %{TTNSERVICE:ttn_service}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
          add_field => [ "TTN_Service", "%{ttn_service}" ]
        }
      }
    }

However, it doesn't work as expected and I don't know why, any hint?

Thanks in advance!

The following grok filter for syslog parse it properly,

    filter {
      if [type] == "syslog" {
        grok {
          match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
          add_field => [ "received_at", "%{@timestamp}" ]
          add_field => [ "received_from", "%{host}" ]
        }
        syslog_pri { }
        date {
          match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
      }
    }

ndarkness · October 21, 2016, 8:39am

Would somethint like this work too?

filter {
  if [type] == "TTN" {
    grok {
      match => { "message", "... TTN-GW ..." }
      add_tag => [ "TTN_Service", "TTN-GW" ]
    }
    grok {
      match => { "message", "... TTN-Node-Red ..." }
      add_tag => [ "TTN_Service", "TTN-Node-Red" ]
    }
  }
}

magnusbaeck · October 21, 2016, 11:30am

The DATE pattern doesn't match your timestamp. Why are you using it instead of SYSLOGTIMESTAMP which worked?

      add_field => [ "TTN_Service", "%{ttn_service}" ]

Why not capture straight into the TTN_Service field instead of capturing into ttn_service and copying that value to TTN_Service?

ndarkness · October 26, 2016, 7:07am

You were right @magnusbaeck, it was the timestamp, I updated it and now it works.

Sorry I am a bit newbie in this, how do you mean?

magnusbaeck · October 26, 2016, 7:09am

Sorry I am a bit newbie in this, how do you mean?

This is unnecessarily complicated:

grok {
  match => {
    "message" => "%{DATE:date} %{SYSLOGHOST:syslog_hostname} %{TTNSERVICE:ttn_service}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
  }
  add_field => [ "TTN_Service", "%{ttn_service}" ]
}

It can be replaced by this:

grok {
  match => {
    "message" => "%{DATE:date} %{SYSLOGHOST:syslog_hostname} %{TTNSERVICE:TTN_Service}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
  }
}

ndarkness · October 26, 2016, 7:14am

Ok, I will try it

Just for the sake of learning, why is the first option more complicated?

Thanks!

magnusbaeck · October 26, 2016, 7:25am

Because you have an unnecessary add_field and you're creating both TTN_Service and ttn_service.

ndarkness · October 26, 2016, 7:26am

Understood, thanks