-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Best way to refer to objects in grok patterns #39
Comments
It seems Logstash is treating fields different if they are defined as [][] vs .
As using [][] notation in the regex capture makes Logstash fail I have to use . notation (see event.action) But when I later create a conditional using for example:
All the above conditionals fail somehow... So how should I do a named regex capture to an object if I can't use [][]? For the record, the field event.action is indexed correctly to Elasticsearch. Also tried with:
But those make my Logstash fail to execute action.. I found this issue: logstash-plugins/logstash-filter-grok#66 which actually describes my problem.. I'm not sure how I can continue migrating my F5 grok patterns to objects with this issue.. Is there anyone who knows a workaround? |
Elasticsearch and Logstash treat names with dots in them differently. For data indexed in Elasticsearch 5.0 and newer, the JSON objects It is preferable to index events in the form of To work around the problem with the grok filter you can simply use |
I run the logstash with the configuration file:
and with the
The expanded GREEDYDATA grok pattern contains it's name as the field name prefix. I modified regex part of your pattern to contain some pattern name prefix:
Expanded regular expression looks good and
I hope it helps you. |
This confusion comes differences in the platforms grok is running on: logstash uses square brackets for field references and ingest node uses dots, so kibana's grok debugger will use dots as well. The solution that creates less friction is for one of these two (or both) to support both notations. |
Does everyone here agree that this issue in ECS can be closed, in favour of the one in the Logstash repo? :-) |
Hello,
I was wondering why the grok debugger in Kibana seems not able to understand objects when referenced with [object][subobject] notation?
Does this mean I should use 'object.subobject' in grok patterns if I want to facilitate grok debugging? http://grokconstructor.appspot.com/do/match seems to have the same behaviour.
Grtz
Willem
The text was updated successfully, but these errors were encountered: