Reputation: 1
Logstash - grok configuration filter
I am trying to filter the output of the "last" command using grok.
The grok pattern is only matching the first variable "user" .
It is not matching any pattern after it.
Can you please let me know what i am missing here.
Log:
sam pts/0 172.19.16.3 Tue Mar 3 11:32 - 11:39 (00:07)
Grok pattern used :
match => [ "message", "%{USER:user} %{TTY:terminal} %{IPORHOST:client} %{TIMESTAMP_ISO8601:date} %{NUMBER:duration}" ]
Upvotes: 0
Views: 919
Answers (1)
Reputation: 1651
Several issues with your pattern:
- List item
you have to take care of the Whitespace
if you have data like:
username foobar
the pattern:
%{USER:user} %{WORD}
will not match because you have several white spaces between the two words. If you do:
%{USER:user} +%{WORD}
the pattern will match because you tell grok to look for more than one space between the two words. Try to check your pattern with http://grokdebug.herokuapp.com/ one step at a time. First try to work out the GROK patterns for the individual parts and if they work try to put them together one by one.
- The pattern tty does not match pts/0 but expects something like /dev/pts/0
Take a look at the pattern definition. They can be found under: https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
The TTY pattern in particular is in: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
Upvotes: 1
Related Questions
- logstash grok filter annoyance
- Logstash Add field from grok filter
- Logstash grok filter does not parse message
- Logstash filtering using grok
- GROK Pattern filtering
- Logstash grok filter regex
- Logstash Grok Filter key/value pairs
- Filtering messages out of logstash.conf
- Logstash filter with more matcher
- logstash fails to match a grok filter