GROK Pattern Works with GROK Debugger but not in Logstash GROK

Question

I have a GROK pattern I am trying to use in Logstash that works within the GROK Debugger website but not within Log stash. I've tried different configurations with no success. I'm hoping someone can help me identify why this is not working.

Input: 2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7

Search Pattern: Free disk \(GB\): \-%{INT:auth_method}

I want to extract the value 7

Thanks for your help!!!!

This worked fine for me. Please provide your Logstash configuration. (Side note: You probably want %{INT:auth_method:int} to make the auth_method field an integer field instead of a string field. — Magnus Bäck

Alain Collins Alain Collins · Accepted Answer · 2015-04-16T15:59:12

Hate to say it, OP, but it works for me:

input {
        stdin {}
}
filter {
    grok {
        match => [ message, "Free disk \(GB\): \-%{INT:auth_method}" ]
    }
}
output {
        stdout { codec => rubydebug }
}

Gives you this:

2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7
{
        "message" => "2015-04-15 12:43:23.788 1883 AUDIT nova.compute.resource_tracker [-] Free disk (GB): -7",
       "@version" => "1",
     "@timestamp" => "2015-04-16T15:57:17.229Z",
           "host" => "0.0.0.0",
    "auth_method" => "7"
}

Check for extra spaces at the end of your pattern, perhaps?

GROK Pattern Works with GROK Debugger but not in Logstash GROK

1 Answers