Grok won't run second time
Mojster opened this issue · 2 comments
Hi, I'm having some problems with grok filter.
I won't to use it first to get out all fixed data. After that I would like to use it again in if/else bloks.
Those two groks in if/else are not processed. Not match or even remove_field.
Can anybody advise me, hot to solve this.
- Version: 5.4.3
- Operating System: Windows server
- Config File (if you have sensitive info, please remove it):
input
{
beats {
port => "5046"
}
}filter {
grok {
match => {"message" => "%{DATA:act}#%{DATA:interface}#%{DATA:country}#%{DATA:acronym}#%{DATA:typeDB}#%{GREEDYDATA:leftovers}"}
}
if [act] == "CONN"{
drop { }
}
ruby {
code => "event.set('acronym', event.get('acronym').upcase)"
}
if [act] == "AUTH"{
grok {
match => {"leftovers" => "%{DATA}#%{TIMESTAMP_ISO8601:date}#%{DATA:userID}"}
remove_field => [leftovers]
}
}else if [act] == "DISP"{
grok {
match => {"leftovers" => "%{TIMESTAMP_ISO8601:date}#%{DATA:outputType}#%{DATA:userID}"}
remove_field => [leftovers]
}
}
date {
locale => "en"
match => ["date", "YYYY-MM-dd HH:mm:ss,SSS"]
timezone => "Europe/Ljubljana"
target => "date"
}
}
output {
stdout { codec => rubydebug }
}
- Sample Data:
DISP#Android#SLO#COBIB#BIB#01-jun-2017 07:13:33.158#MOBI#290018304
CONN#Android#SLO#mkl#BIB#mkl#01-jun-2017 07:12:31.594
AUTH#Android#SLO#siksg#BIB#siksg#01-jun-2017 07:11:57.734#400302
-Output after running the sample:
{
"country" => "SLO",
"offset" => 68,
"acronym" => "COBIB",
"input_type" => "log",
"source" => "e:\data_stat\test_file.log",
"message" => "DISP#Android#SLO#COBIB#BIB#01-jun-2017 07:13:33.158#MOBI#290018304",
"type" => "log",
"interface" => "Android",
"leftovers" => "01-jun-2017 07:13:33.158#MOBI#290018304",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
],
"@timestamp" => 2017-07-04T08:20:27.038Z,
"act" => "DISP",
"typeDB" => "BIB",
"@Version" => "1",
"beat" => {
"hostname" => "elastic",
"name" => "elastic",
"version" => "5.4.3"
},
"host" => "elastic"
}
{
"country" => "SLO",
"offset" => 189,
"acronym" => "SIKSG",
"input_type" => "log",
"source" => "e:\data_stat\test_file.log",
"message" => "AUTH#Android#SLO#siksg#BIB#siksg#01-jun-2017 07:11:57.734#400302",
"type" => "log",
"interface" => "Android",
"leftovers" => "siksg#01-jun-2017 07:11:57.734#400302",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
],
"@timestamp" => 2017-07-04T08:20:27.038Z,
"act" => "AUTH",
"typeDB" => "BIB",
"@Version" => "1",
"beat" => {
"hostname" => "elastic",
"name" => "elastic",
"version" => "5.4.3"
},
"host" => "elastic"
}
- Steps to Reproduce:
Running logstash in Powershell and pushing longs into with file beat.
I suggest you post questions like this one to https://discuss.elastic.co/c/logstash/.
After this post I've started using "discus".
From than I'm only posting here questions, that newer received a answer there.
This one was fixed with refactoring the code. So it uses another workflow.