Logstash regex pattern issue

Asked Jun 15 '17 at 05:20

Active Jun 15 '17 at 05:20

Viewed 68 times

I have sample plain text:

..done, Total time: 10, Errors: 5, there is some text here Results:, , Total time: 10, Errors: 5, , [INFO]...

I am trying to parse values of Total time and Errors fields in Logstash grok filter with the following pattern:

grok {
  match => {"message" => ".*Total\stime\:\s(?<time>\d*).*Errors\:\s(?<errors>\d*)"}
}

But it assigns two values to every field:

Total time 10, 10

Errors 5, 5;

Is there any way to parse the values of those fields correctly, with one value only?

edited Jun 20 '20 at 09:12

Community

asked Jun 15 '17 at 05:20

rw412

I remember someone having similar issue. Check that 1) your input is on 1 single line and `Total time` and `Errors:` only appear once (else, try replacing `.*` with `[\s\S]` or `[\\s\\S]`, not sure about the number of backslashes), 2) try deleting the existing pipeline in elasticsearch and retry. I'd also use `.*Total\s+time:\s*(?\d+).*Errors:\s*(?\d+)` pattern. – Wiktor Stribiżew Jun 15 '17 at 08:43
@WiktorStribiżew Thanks. I tried this pattern `.*Total\s+time:\s*(?\d+).*Errors:\s*(?\d+)` but it again created two values. I also tried `[\s\S]Total\s+time:\s*(?\d+).[\s\S]Errors:\s*(?\d+)` and it failed, though it passed on https://grokdebug.herokuapp.com/ Do you have any other suggestions? – rw412 Jun 15 '17 at 18:02
I actuall meant `[\s\S]*`, not `[\s\S]`.However, I believe there is some issue with the pipeline or the input. – Wiktor Stribiżew Jun 15 '17 at 20:51

0 Answers0