Logstash _grokparsefailure

Question

Would someone be able to add some clarity please? My grok pattern works fine when I test it against grokdebug and grokconstructor, but then I put it in Logastash it fails from the beginning. Any guidance would be greatly appreciated. Below is my filter and example log entry.

{"casename":"null","username":"null","startdate":"2015-05-26T01:09:23Z","enddate":"2015-05-26T01:09:23Z","time":"0.0156249","methodname":"null","url":"http://null.domain.com/null.php/null/jobs/_search?q=jobid:\"0\"&size=100&from=0","errortype":"null","errorinfo":"null","postdata":"null","methodtype":"null","servername":"null","gaggleid":"a51b90d6-1f82-46a7-adb9-9648def879c5","date":"2015-05-26T01:09:23Z","firstname":"null","lastname":"null"}


filter {
  if [type] == 'EventLog' {
    grok {
      match => { 'message' =>  ' \{"casename":"%{WORD:casename}","username":"%{WORD:username}","startdate":"%{TIMESTAMP_ISO8601:startdate}","enddate":"%{TIMESTAMP_ISO8601:enddate}","time":"%{NUMBER:time}","methodname":"%{WORD:methodname}","url":"%{GREEDYDATA:url}","errortype":"%{WORD:errortype}","errorinfo":"%{WORD:errorinfo}","postdata":"%{GREEDYDATA:postdata}","methodtype":"%{WORD:methodtype}","servername":"%{HOST:servername}","gaggleid":"%{GREEDYDATA:gaggleid}","date":"%{TIMESTAMP_ISO8601:date}","firstname":"%{WORD:firstname}","lastname":"%{WORD:lastname}"\} '
     }
   }
  }
 }

Answer 1

"Fails from the beginning", indeed! See this?

'message' =>  ' \{"casename"

              ^^^

There's no initial (or trailing) space in your input, but you have them in your pattern. Remove them, and it works fine in logstash.

BTW, have you seen the json codec or filter?