Bouba TRAORE
Reputation: 31
GROK Pattern Works with GROK Debugger but not in Logstash GROK
I have a GROK pattern I am trying to use in Logstash that works within the GROK Debugger website but not within Log stash. I've tried different configurations with no success. I'm hoping someone can help me identify why this is not working.
Input: 2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7
Search Pattern: Free disk \(GB\): \-%{INT:auth_method}
I want to extract the value 7
Thanks for your help!!!!
Upvotes: 3
Views: 878
Answers (1)
Alain Collins
Reputation: 16362
Hate to say it, OP, but it works for me:
input {
stdin {}
}
filter {
grok {
match => [ message, "Free disk \(GB\): \-%{INT:auth_method}" ]
}
}
output {
stdout { codec => rubydebug }
}
Gives you this:
2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7
{
"message" => "2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7",
"@version" => "1",
"@timestamp" => "2015-04-16T15:57:17.229Z",
"host" => "0.0.0.0",
"auth_method" => "7"
}
Check for extra spaces at the end of your pattern, perhaps?
Upvotes: 1
Related Questions
- logstash log parsing with regex and grok
- RegEx Filter Works In RegExr But Not Logstash Grok
- grok parsing issue
- Logstash - Basic Grok Pattern not working
- Grok pattern works in Grok Debugger but not in logstash
- Grok Pattern not working in Logstash
- Logstash pattern matching more than it should
- Logstash grok pattern issue
- Different behavior in Grok debugger and Logstash grok
- _grokparsefailure on matching grok debugger pattern