Develop Reference

Grok Parsing Failure in logstash with Pattern That Includes Square Brackets

I have a log pattern where every log element is enclosed in square brackets. I can't control the original log. I just want the grok parsing to ignore the brackets and only interpret what's between them. Based on something close to the following line:
2019-04-04 13.23.57.057 [52] [77] [MEASURE] [XYZService]
, I want the pattern to see the 52 as a threadId. I have the following code:
if [message] =~ "MEASURE" {
grok {
match => { " message" => "%{TIMESTAMP_ISO8601:logtime} [%{NUMBER:threadId}] %{GREEDYDATA:restofmessage}" }
}
}
else {
drop()
}
In this state, I get a grokparsefailure when logstash attempts to interpret the line. I am certain its only related to the bracketed portion, because when I remove that pattern, every works fine. I would be grateful for any ideas what I am doing wrong. Thanks

nevermind. I got it to work by escaping the brackets like this: \ [ %{NUMBER:threadId}
\ ]

Grok regex with escaped “[“, “(“, and “)” chars problems

Elastic newbie here - working with a new 5.5 install. I have a log line that looks like so:
[2015/10/01#19:48:22.785-0400] P-4780 T-2208 I DBUTIL : (451) prostrct
create session begin for timk519 on CON:.
I have the following regex:
\[%{DATE:date}#%{TIME:time}-(?<gmtoffset>\d{4})\]\s*(?<procid>P-[0-9]+)\s*(?<threadid>T-[0-9]+)\s*(?<msgtype>[ifIF])\s*(?<processtype>[a-zA-Z]+)\s*(?<usernumber>[0-9]+|[:])\s*\((?<msgnum>[0-9]+|[\-]+)\)\s*%{GREEDYDATA:message}
When I try it in the kibana grok debugger it doesn't work and I get the following error:
GrokDebugger: [parse_exception] [pattern_definitions] property isn't a
map, but of type [java.lang.String], with { header={
processor_type="grok" & property_name="pattern_definitions" } }
this appears to be due to the \[ at the start of the line. If I replace the leading \[ with a period "." I get this
.%{DATE:date}#%{TIME:time}-(?<gmtoffset>\d{4})\]\s*(?<procid>P-[0-9]+)\s*(?<threadid>T-[0-9]+)\s*(?<msgtype>[ifIF])\s*(?<processtype>[a-zA-Z]+)\s*(?<usernumber>[0-9]+|[:])\s*\((?<msgnum>[0-9]+|[\-]+)\)\s*%{GREEDYDATA:message}
the grok debugger and https://grokdebug.herokuapp.com/ are good with this pattern.
When I put this regex into logstash, it fails to recognize the msgnum (451) part of the line because of the escaped parens \( and \) around the msgnum field, and as a result fails to recognize the line as a legal string.
Am I escaping something incorrectly? Is this a bug?
UPDATE 2017-07-21
I got around the issue with escaping ( and ) by putting them in [(] and [)]. I haven't figured out a way to solve matching the leading [ yet.
UPDATE 2017-07-24
The answer below was an epic catch and I've used that to create the following custom patterns:
DBTIME %{TIME}[-+]\d{4}
DBTIMESTAMP %{YEAR}/%{MONTHNUM}/%{MONTHDAY}#%{DBTIME}
which I've implemented in my grok statement like so:
\[%{DBTIMESTAMP:dbdatetime}\]\s*%{PROCESSID:processid}\s*%{DBTHREADID:threadid}\s*%{DBMSGTYPE:msgtype}\s*%{PROCESSTYPE:processtype}?\s*%{USERNUMBER:usernumber}?\s*:\s*[(]%{MSGNUMBER:msgnumber}[)].\s*%{GREEDYDATA:eventmessage}\s*\r
I then use the date filter to turn the dbdatetime into a #timestamp setting, and now the regex matches the incoming log stream which is what I want. Thx!

The devil is in the detail and the error is not apparent at first. The reason the Grok Debugger fails is because of your use of the DATE pattern. This pattern resolves like this:
DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
MONTHNUM and MONTHDAY are both 2 digit patterns, which in turn actually means they are matching the 15 in your year. This is the reason why the pattern does not work because \[%{DATE} is actually not matching (it is missing the 20). Why does the pattern .%{DATE} work tough? Because you are not matching the [ with the dot, your are matching the 0 of the year.
How to fix this? Use a custom pattern to match the date. Something like this works:
\[(?<date>%{YEAR}/%{MONTHNUM}/%{MONTHDAY})#%{TIME:time}-(?<gmtoffset>\d{4})\]\s*(?<procid>P-[0-9]+)\s*(?<threadid>T-[0-9]+)\s*(?<msgtype>[ifIF])\s*(?<processtype>[a-zA-Z]+)\s*(?<usernumber>[0-9]+|[:])\s*\((?<msgnum>[0-9]+|[\-]+)\)\s*%{GREEDYDATA:message}
This will return the following output:
{
"date": "2015/10/01",
"msgnum": "451",
"procid": "P-4780",
"processtype": "DBUTIL",
"message": "prostrct create session begin for timk519 on CON:.",
"threadid": "T-2208",
"usernumber": ":",
"gmtoffset": "0400",
"time": "19:48:22.785",
"msgtype": "I"
}

Logstash grok pattern for space field

Hi How to write a grok expression for the below log
[2017-03-25T00:00:07,137][WARN ]
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}/]/[%{LOGLEVEL:log-level}\s*\]" }
Is this correct , how to write space in grok ?
Thanks

%{SPACE} is that pattern that matches 0 or more spaces, which is very useful if you don't know (or care!) if there will be a space or not.

Getting parsing error while writting custom grok filter

I am new to regex and using logstack grok filter. I have to write my own regex to filter this message
NAID-iOS-3093448A-BC34-4FE1-A057-29AD2CEF8FD3-1471410782.565937 IP-202.174.93.103 2016-08-17 00:13:09,963
my grok filter is
grok{
match => {"message" => "%{DATA:deviceid}%{IP:Serverip}%{%{YEAR}[-]%{MONTHNUM}[-]%{MONTHDAY}:Date}%{GREEDYDATA:data}"}
}
the default DATE_EU entry in grok has %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
but i needed a reverse of it so I wrote
%{%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}:Date} instead of %{DATE_EU:Date} but getting [0]_grok parsefailure message in my syntax.
I even followed https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#_custom_patterns and created a patterns directory inside logstash folder I am using windows and added DATE_LOG %{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY} entry inside file named "extra" but again got parsing_error.

You're using bad syntax. While parsing a log line you name each part with your own variables, for example:
%{MONTHNUM:month}-%{MONTHDAY:day}
and then you complete your own format this way:
replace => ['timestamp', '%{month}-%{day}']

Different structure in a few lines in my log file

My log file contains different structures in a few lines, and I can not grok it, I don't know if we can test by lines or attribute, I'm still a beginner.
if you don't understand me I can give you some examples :
input :
id=firewall action=bloc type=web
id=firewall fw="ER" type=filter
id=firewall fw="Az" tz="loo" action=bloc
Pattern:
id=%{WORD:id} ...
I thought to add some patterns between ()?,
but i don't know exactly how to do it.
you can use this site to test it http://grokdebug.herokuapp.com/
Any help please? What should i do :(

Logstash supports key-value Values, take a look at http://logstash.net/docs/1.4.2/filters/kv.
Or you could use multiple match values:
grok {
patterns_dir => "./patterns"
match => [
"message", "%{BASE_PATTERN} %{EXTRA_PATTERN}",
"message", "%{BASE_PATTERN}",
"message", "%{SOME_OTHER_PATTERN}"
]
}

Not sure if I understood well your question but I will try to answer. I think the first thing you have to do is to parse the different fields from your input. Example of pattern to parse your first line input :
PATTERN %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} (in $LOGSTASH_HOME/pattern/extra)
Then in your logstash configuration file :
filter {
grok {
patterns_dir => "$LOGSTASH_HOME/pattern"
match => [ "message" => "%{PATTERN}" ]
}
}
This will match your first line as 3 fields ("id=firewall" "action=bloc" "type=web") (you have to adapt it if you have more than 3 fields).
And the last thing you seem be looking for is splitting field (in key-value scheme) like id=firewall would become id => "firewall". This can be done with the kv plugin. I never used it but I recommend you the logstash docs here
If I did not understand you question, please be more clear.