I have an ELK stack deployed on kubernetes used to collect containers' data. Among all the rest, it is using a grok filter to parse the actual log line based on a pattern.
My wish is to be able to setup this pattern by using an annotation in the kubernetes pod.
I added an annotation called elk-grok-pattern in the pod, configured filebeat in order to forward the annotation and I can get the annotation value as a field in my event in logstash, so far so good.
The problem is that I am unable to use the value of my field as a grok pattern.
The annotation in my pod looks like this:
Annotations: elk-grok-pattern=%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:status} %{NUMBER:response_time}The filter I am trying to use is similar to the following:
filter {
# create a new field called "elk-grok-pattern" from the pod annotation
mutate {
rename => { "[kubernetes][annotations][elk-grok-pattern]" => "elk-grok-pattern" }
}
grok {
pattern_definitions => {
"CUSTOM" => "%{elk-grok-pattern}"
}
match => { "log" => "%{CUSTOM}" }
}
}
Unluckily this leads to an error:
Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{elk-grok-pattern} not defined>In practice, grok is interpreting my pattern literally, and not evaluating the string content coming from the event.
I also tried using the pattern directly, withoud defining a pattern_definition, like this:
grok {
match => { "log" => "%{elk-grok-pattern}" }
}
But I get the same exact error.
Is there a way to accomplish my goal? Any advice or possible workaround would be very appreciated.
If you don't wish to use this pattern in other places, why not just use it in the match like this?
grok {
match => { "log" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:status} %{NUMBER:response_time}" }
}
If you want to use it later in other filters, check out this page on pattern creation:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#setting_patterns_dir