Works in Grok Debugger but not in logstash config file

jamespb · December 10, 2018, 7:50am

my filter works in Grok Debugger but not in logstash config file.
pattern:
(?<message_date>[0-9]+-[0-9]+-[0-9]+) (?<message_time>[0-9]+:[0-9]+:[0-9]+) (?<message_number>[0-9]+-[0-9]+) %{WORD:message_type} "(?(.+?):)(?(.+?):)(?(.+?):)(?(.+?)")
log:
07-08-2018 21:48:44 237-4061 information "APPL:icscf2bb2.IMS_OVL01: CLM_CSCF Statistics: Role=S: transit_sess=0, core_sess=503; Role=C: border_sess=0"

error:
[2018-12-10T15:50:02,126][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 11, column 236 (byte 582) after filter {\n grok {\n #07-08-2018 01:49:51 141-9938 information "OEM:idcscf2bb2:sshd: sshd[21105]: Set /proc/self/oom_score_adj to 0"\n #match => {"message" => "(?<message_date>[0-9]+-[0-9]+-[0-9]+) (?<message_time>[0-9]+:[0-9]+:[0-9]+) (?<message_number>[0-9]+-[0-9]+) %{WORD:message_type} %{QS:message_body}"}\n\t\tmatch => {"message" => "(?<message_date>[0-9]+-[0-9]+-[0-9]+) (?<message_time>[0-9]+:[0-9]+:[0-9]+) (?<message_number>[0-9]+-[0-9]+) %{WORD:message_type} (?(.+?):)(?(.+?):)(?(.+?):)(?(.+?)/"", :backtrace=>["C:/tmp/elk/log/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "C:/tmp/elk/log/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "C:/tmp/elk/log/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "C:/tmp/elk/log/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "C:/tmp/elk/log/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "C:/tmp/elk/log/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "C:/tmp/elk/log/logstash-core/lib/logstash/pipeline_action/create.rb:42:in block in execute'", "C:/tmp/elk/log/logstash-core/lib/logstash/agent.rb:92:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:148:in synchronize'", "C:/tmp/elk/log/logstash-core/lib/logstash/agent.rb:92:inexclusive'", "C:/tmp/elk/log/logstash-core/lib/logstash/pipeline_action/create.rb:38:in execute'", "C:/tmp/elk/log/logstash-core/lib/logstash/agent.rb:317:inblock in converge_state'"]}

jamespb · December 11, 2018, 6:51am

I should use filter as following

grok {
	match => {"message" => ["(?<message_date>^[0-9]+-[0-9]+-[0-9]+) (?<message_time>[0-9]+:[0-9]+:[0-9]+)  (?<message_number>[0-9]+-[0-9]+)  %{WORD:message_type}  (?<message1>(.+?)\:)(?<message2>(.+?)\:)(?<process_name>(.+?)\:)(?<message4>(.+?)$)"]}

 }

system · January 8, 2019, 6:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.