logstashlogstash-grokfilebeatlogstash-configuration

Logstash Grok regex expression works fine alone but doesn't work when grouped with other grok expressions


My grok expression works fine when used with the matching string alone but when I use this grok expression with other grok expressions to capture other data that's also present in the log line, it doesn't match with the same matching string.

Case1: Below grok expression is working fine when running alone for the below log string and the value is captured in the field targetMessage

Log string: Tracking : sent request to msgDestination Grok expression: (?<targetMessage>^Tracking : (?:received response from|sent request to) msgDestination$)

Case2: When I try to run the expression with other some other data also present in the log string it doesn't work i.e. grok expression doesn't match with the same string as used above.

Log string: 2022-11-26 8:16:39,873 INFO [task.SomeTask] Tracking : sent request to msgDestination : MODULE1|SERVICE1|20220330051054|TASK1

Grok expression: %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} \[(?<classname>[^\]]+)\] (?<targetMessage>^Tracking : (?:received response from|sent request to) msgDestination$) : %{WORD:moduleName}\|%{WORD:service}\|%{INT:requestId}\|%{WORD:taskName}

Debug tool used: https://grokdebug.herokuapp.com/

If anyone can please suggest what mistake I'm making here?


Solution

  • ^ and $ anchor an expression to the start and end of a line respectively. You have both inside the targetMessage custom pattern, and that is in the middle of the line, so neither one matches. Remove both ^ and $