i'm testing logstash configuration rspec match basic tomcat log, when specify fields in grok pattern fails (without fields, succeeds!).
config <<-config filter { grok { patterns_dir -> "./patterns" pattern => "%{catalina_datestamp:logtimestamp} %{javaclass} %{word}" } } config sample 'jul 15, 2015 9:33:23 org.apache.catalina.core.applicationcontext log' //edit: corrected tomcat_datestamp catalina_datestamp, is:
catalina_datestamp %{month} %{monthday}, 20%{year} %{hour}:?%{minute}(?::?%{second}) (?:am|pm) when ":logtimestamp" part in pattern, nothing matched. when it's removed matches line... ideas on why? user error, install error or else?
the problem caused tomcat_datestamp pattern. when take @ grok default patterns java you'll see doesn't match input.
this pattern definition:
tomcat_datestamp 20%{year}-%{monthnum}-%{monthday} %{hour}:?%{minute}(?::?%{second}) %{iso8601_timezone} your input is:
jul 15, 2015 9:33:23 either change input fit pattern or define different pattern. following might suit purpose:
%{month} %{monthday}, %{year} %{time} 
Comments
Post a Comment