Reputation: 961
Logstash and Grok filter failure
My log file has a single line (taken from the tutorial log file):
55.3.244.1 GET /index.html 15824 0.043
My conf file looks something like this:
input {
file {
path => "../http.log"
type => "http"
}
}
filter {
grok {
type => "http"
match => [ "message", "%{IP:client}" ]
}
}
I tested my grok filter with the grok debugger and it worked. I'm at a loss of what I am doing wrong. I get a [0] "_grokparsefailure" every time
Upvotes: 0
Views: 365
Answers (1)
Reputation: 437
As far as debugging a grok filter goes, you can use this link (http://grokdebug.herokuapp.com/) It has a very comprehensive pattern detector which is a good start.
If you only care about the IP and not the remainig part of the log message, following filter should work for you.
%{IP:host} %{GREEDYDATA:remaining_data}
The best method to debug is use, stdin and stdout plugins for logstash and debug your grok patterns.
You can find the documentation here http://logstash.net/docs/1.4.2/
Upvotes: 2
Related Questions
- logstash grok issue while filtering data
- logstash grok filter annoyance
- Error in grok filter which starting logstash
- logstash grok filter-grok parse failure
- failed to filter logs with grok
- Logstash grok filter does not parse message
- Logstash grok filter error "_grokparsefailure"
- logstash: grok parse failure
- logstash stopped match a grok second grok filter
- logstash fails to match a grok filter