grok patterns_dir doesn't work

Description

Hello
I have an issue extracting fields with grok _

my conf :

input {
amqp {
type => "all"
host => "graystash"
port => "5673"
user => "logstash"
password => "pass4logstash"
#exchange => "fanout"
exchange => "rawlogs"
#name => "rawlogs"
vhost => "root"
}
}

filter {
grok {
type => "F5Access"
patterns_dir => "/opt/logstash/patterns"
pattern => "%{F5Access}"
}

date {
type => "F5Access"
F5AccessTimestamp => "MMM dd HH:mm:ss"
F5AccessTimestamp => "MMM d HH:mm:ss"
}

}
output {
stdout {
debug => true
}

gelf {
type => "F5Access"
facility => "F5Access"
sender => "%{F5AccessVirtualHost}"
level => [ "%{severity}", "u" ]
host => "graystash.in.karavel.com"
port => 12201
}
}

and the patterns file :

  1.  

    1.  

      1.  

        1. F5 Access Logs ####

  2. Log Complete
    F5Access %{F5AccessTimeStamp}\s%{F5AccessIpLoadballancer}\svs=%{F5AccessVirtualServer}\scip=%{F5AccessIpClient}%\d+\ssip=%{F5AccessIpSource}\ssp=%{F5AccessSourcePort}\svh=%{F5AccessVirtualHost}\suri=%{F5AccessUri}\sm=%{F5AccessMethod}\sv=%{F5AccessVersionHttp}\ss=%{F5AccessStatusHttp}\sl=%{F5AccessLongueur}\st=%{F5AccessTempsReponse}\sr=%{F5AccessUrlSource}\sua=%{F5AccessUa}

  1. Detail
    F5AccessTimeStamp (?:^\w{3}(\s|\s\s)\d+\s\d+\:\d+\:\d+)
    F5AccessIpLoadballancer (?:\d+\.\d+\.\d+\.\d+)
    F5AccessVirtualServer (?:.+)
    F5AccessIpClient (?:.+)
    F5AccessIpSource (?:.+)
    F5AccessSourcePort (?:.+)
    F5AccessVirtualHost (?:.+)
    F5AccessUri (?:.+)
    F5AccessMethod (?:.+)
    F5AccessVersionHttp (?:.+)
    F5AccessStatusHttp (?:.+)
    F5AccessLongueur (?:.+)
    F5AccessTempsReponse (?:.+)
    F5AccessUrlSource (?:.+)
    F5AccessUa (?:.+)

this conf work with the 1.1.0beta8

Thx
Thibault

Activity

Show:
Thibault Desaules
February 14, 2012, 10:48 AM

output with the 1.1.0beta8 :
http://pastie.org/3379860

output with the 1.1.0 :
http://pastie.org/3379868

no grokparseerror

resolved with : named_captures_only => false (thx irc and random619)

Philippe Weber
June 22, 2012, 9:19 AM

CanBeClosed
User got reply from IRC

Assignee

Logstash Developers

Reporter

Thibault Desaules

Labels

Affects versions

Configure