The Example of Grok is don't work
Description
Gliffy Diagrams
Activity
Philippe Weber November 29, 2013 at 6:35 AM
Hi Pierre-Olivier,
it is best to create your own support ticket than commenting on old closed ones.
From your comment it seems that your still use logstatsh 1.1.x because of all the @-prefixed field.
So you should either
try to uplgrade to latest 1.2.x logstash
keep your current version and change your grok pattern to match against @message and not message
Pierre-Olivier November 28, 2013 at 9:53 PM
Hello, I have the same kind of issue: I am trying to parse my own log and I am not able to get my data indexed in elasticsearch:
My log is :
in my config I did:
The tag is properly added in ES, in kibana I have:
As you can my data are not tokenize in a new field data.
Philippe Weber November 1, 2013 at 12:52 PM
user support done
tongyizuguo November 1, 2013 at 1:48 AM
yes, you are right. there is an additional space in pattern file! thank you!
Philippe Weber October 31, 2013 at 1:50 PM
If grok filter could not find a pattern for POSTFIX_QUEUEID, you would get a more clear error when starting logstash, so the pattern path should be ok.
I would go for an error in the content: config or pattern file, maybe an additional space somewhere in your match or pattern.
The easiest for you is to test your config online here http://grokdebug.herokuapp.com/
with enabling the options Named Captures Only and Singles to mimic 1.2.2 defaults
You cannot use external pattern with this tool, but you can use another syntax:
Hi:
every body,I am a newer.
I do the example in :http://logstash.net/docs/1.2.1/filters/grok
the log is:
BEF25A72965: message-id=<20130101142543.5828399CCAF@mailserver14.example.com>
then I creat a dirctory "./patterns" and a file "postfix "
POSTFIX_QUEUEID [0-9A-F]{11}
grok is:
match => [ "message", %{POSTFIX_QUEUEID:queue_id}: %{GREEDYDATA:message}" ]
But it didn't work, why?
is there something I didn't do?