Logstash - grok is not parsing double digit float values

0
votes

Grok is able to parse float values with single digit like 1.2 using BASE16FLOAT but throws [0] "_grokparsefailure" when parsing double digit like 12.5

Example:

works for the log event 

02:10:28     CPU Util %:   0.1 /   0.2 /   0.6     Disk Util %:   0.0 /   0.0 /   0.0

but not for 

02:09:46     CPU Util %:   1.3 /   2.3 /   4.2     Disk Util %:   5.6 /  12.5 /  40.9

Logstash filter used

"message" => "%{TIME:time} CPU Util %: %{BASE16FLOAT:MIN_CPU} / %{BASE16FLOAT:AVG_CPU} / %{BASE16FLOAT:MAX_CPU} Disk Util %: %{BASE16FLOAT:MIN_DISK} / %{BASE16FLOAT:AVG_DISK} / %{BASE16FLOAT:MAX_DISK}"

I dont understand why it works for single digit float values but not for a double digit values.

1
logstashlogstash-grok
To know for sure, you'd have to reverse engineer BASE16FLOAT, which is "\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b". Yuck.Alain Collins
I would imagine, though, that your disk utilization percentages are actually base10, so you might try using %{NUMBER}.Alain Collins

1 Answers

0
votes

You can use %{NUMBER} and ${SPACE}

"message" => "%{TIME:time}%{SPACE}CPU Util %:%{SPACE}%{NUMBER:MIN_CPU} /%{SPACE}%{NUMBER:AVG_CPU} /%{SPACE}%{NUMBER:MAX_CPU}%{SPACE}Disk Util %:%{SPACE}%{NUMBER:MIN_DISK} /%{SPACE}%{NUMBER:AVG_DISK} /%{SPACE}%{NUMBER:MAX_DISK}"