grok filter for heroku not working as expected

Description

I have started using heroku input that uses grok filter and have tested that the following filter works at http://grokdebug.herokuapp.com/

^%{TIMESTAMP_ISO8601:timestamp} %{WORD:component}[%{WORDrocess}(?:\.%{INT:instance:int})?]: %{DATA:message}$

for

2014-01-30T21:54:15.450954+00:00 heroku[router]: at=info method=GET path=/socket.io/1/xhr-polling/wCeckZz8Ln5gUt888M35?t=1391118843246 host=redfly.redstar.com request_id=fa219f8b-9768-4a2c-9fe6-c7d6bf1a0969 fwd="70.88.199.13" dyno=web.1 connect=2ms service=10016ms status=200 bytes=3

grok debug outputs the following as message:

"at=info method=GET path=/socket.io/1/xhr-polling/wCeckZz8Ln5gUt888M35?t=1391118843246 host=redfly.redstar.com request_id=fa219f8b-9768-4a2c-9fe6-c7d6bf1a0969 fwd=\"70.88.199.13\" dyno=web.1 connect=2ms service=10016ms status=200 bytes=3"

However, when I see it in Kibana (attached image), I see that the message contains timestamp and other parts of the log entry instead of filtering just the "at=info method=GET <etc>"

I think it's a bug.

Activity

Show:
Kwan Lee
January 30, 2014, 10:13 PM

The heroku input config had two message fields and as a result it was lumping together the full message and the filtered message.

Assignee

Logstash Developers

Reporter

Kwan Lee

Labels

Fix versions

Affects versions

Configure