Logstash filter correct in debugger but doesn't work when searching in kibana

Question

My logstash filter correct in debugger but doesn't show the fields when searching the exact message I tested with in kibana. Here is my filter:

filter {
if [type] == "syslog" {
   grok {
     match => { 'message' => '%{SYSLOG5424LINE}' }
   }
   syslog_pri {
     syslog_pri_field_name => 'syslog5424_pri'
   }
   date {
     match => [ 'syslog5424_ts', 'ISO8601' ]
   }
}

and here is an example of my log message:

<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp  - -  close ('xxx', 32415)

It seems like the filter isn't applying, I restarted my logstash service and tested in the grok debugger. Any idea whats wrong?

Answer 1

It looks like it works correctly to me.

I created test.conf with:

input {
    stdin {}
}
filter {
   grok {
     match => { 'message' => '%{SYSLOG5424LINE}' }
   }
   syslog_pri {
     syslog_pri_field_name => 'syslog5424_pri'
   }
   date {
     match => [ 'syslog5424_ts', 'ISO8601' ]
   }
}

output {
    stdout { codec => "rubydebug" }
}

and then tested like this:

echo "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp  - -  close ('xxx', 32415)" | bin/logstash -f test.conf

And the event it gives as output:

{
    "syslog_severity_code" => 6,
         "syslog_facility" => "local0",
    "syslog_facility_code" => 16,
          "syslog5424_ver" => "1",
                 "message" => "<134>1 2017-01-23T10:54:44.587136-08:00 mcmp mapp  - -  close ('xxx', 32415)",
          "syslog5424_app" => "mapp",
          "syslog5424_msg" => "close ('xxx', 32415)",
         "syslog_severity" => "informational",
                    "tags" => [],
              "@timestamp" => 2017-01-23T18:54:44.587Z,
           "syslog5424_ts" => "2017-01-23T10:54:44.587136-08:00",
          "syslog5424_pri" => "134",
                "@version" => "1",
                    "host" => "xxxx",
         "syslog5424_host" => "mcmp"
}

which has all of the fields that the SYSLOG5424LINE pattern contains.