Telegraf tail-plugin with grok: no data written to influxdb

hi,
i am parsing an sftp-log for certain requests. if matched an entry should be written in influxdb.

this is my telegraf-conf:

  files = ["/var/log/proftpd/sftp.log"]
  watch_method = "inotify"
  from_beginning = true

grok_timezone = "Europe/Berlin"
data_format = "grok"
grok_patterns = ["%{CUSTOM_LOG}"]
grok_custom_patterns = '''
CUSTOM_LOG %{DATE:date}.%{TIME:time}\,[0-9]{3} .* requested read offset .* greater.than.size.of.\'\/%{GREEDYDATA:iosversion:tag}\/lxos.inf.*
'''

a match looks like this:

> tail,host=big-vtransfer02,iosversion=IGEL_OS_11-11.08.110,path=/var/log/proftpd/sftp.log date="22-11-16",num=1i,time="08:41:31" 1668599461271264300

but i don’t see any data in influxdb.
what is wrong?

regards,
andre

You are going to need to provide some logs from Telegraf, ideally with debug mode on. It should have an entry where it says it “wrote {#} metric” to influxdb or something similar. That would confirm that it is at least writing data to influxdb.

Have you tried with other watch_method (“inotify” or “poll”)?

I’m on Windows and only poll works for me, just try it out and see if that’s the case for you too.

yes, that worked! thanks. in poll mode data is written to influxdb.

do you know how to write a “1” into influxdb if my grok pattern matches? currently the date is written, which i don’t need. i can remove it from my grok, but how to enter a static value?

did it with processors.enum.mapping:

[[processors.enum]]
  [[processors.enum.mapping]]
    field = "lxos.inf"
    dest = "num"
    [processors.enum.mapping.value_mappings]
    "lxos.inf" = 1