Logstash - Basic Grok Pattern not working

1
votes

I am completely new to Logstash. I just started working on it today. I did not find any good tutorials. So I am posting my query here.

I have a basic conf file:

 input {
    file{
        path => "C:/software/logstash-5.3.0/logstash-5.3.0/bin/test1.txt"
        type => "Text File"
        start_position => "beginning"
    }
}

filter {

    grok { 
        match => [ "message", "%{WORD:File Name} %{WORD:Method Name} %{NUMBER:testing Number} %{NUMBER:testing second number}" ] 
    } 
}

output{

    file {
        path => "C:/software/logstash-5.3.0/logstash-5.3.0/bin/test_op1.txt"
        codec => line  { format => "File Name is: %{File Name} and Method Name is: %{Method Name}"
        }    
    }

    stdout {}
}

I made this conf file by seeing few examples in the google search.

My Input File contains just one line: testFile testMethod 123 345

I am just trying to understand how Logstash works here.

I ran the logstash using the above conf file and input file. It started running successfully. And "testFile testMethod 123 345" got printed on the Console. And "File Name is: %{File Name} and Method Name is: %{Method Name} " got printed to the Output File. Whereas, Expected output is: "File Name is: testFile and Method Name is: testMethod"

After adding codec=>rubydebug to the output of the config file, output is attached as an image.output

Could you please suggest me where I was wrong. Do I need to create any pattern file or Is there any default pattern file for grok.

Any help would be deeply appreciated.

Thanks.

1
logstashlogstash-grok
Based on this elastic.co support thread, I would discourage the use of spaces and inconsistent capitalization strategies in your field names - Will Barnwell
Please run this with stdout{codec => "rubydebug"} and add the results to your question - Will Barnwell
Added the results as an image to the question - Deepika Mallapragada
Thanks for the suggestion. Issue is because of the spaces used. I removed the spaces and it is working now. Thanks a lot @will - Deepika Mallapragada

1 Answers

2
votes

Identified the issue. Issue is caused by the Naming Conventions I used in the GROK pattern. Using Spaces in the GROK pattern caused the issue.

Corrected Grok Pattern

grok { 
    match => [ "message", "%{WORD:FileName} %{WORD:MethodName} %{NUMBER:Number1} %{NUMBER:Number2}" ] 
}

By using this GROK pattern, my issue is resolved. Thanks for the suggestion https://stackoverflow.com/users/5216668/will-barnwell