Reputation: 18764
Logstash grok parse error parsing log file
I am trying to parse this log format:
http://localhost:8080/,200,OK,11382,date=Mon 27 Apr 2015 12:56:33 GMT;newheader=foo;connection=close;content-type=text/html;charset=ISO-8859-1;server=Apache-Coyote/1.1;
with this config file:
input {
stdin{}
}
filter {
grok {
match => [ "message" , "%{URI:uriaccessed},%{NUMBER:httpcode},%{WORD:httpcodeverb},%{NUMBER:bytes},date=%{TIMESTAMP_ISO8601:logtimestamp};%{GREEDYDATA:msg}"]
}
mutate{
convert => ["httpcode","integer"]
convert => ["bytes","integer"]
}
date {
locale => "en"
match => [ "logtimestamp" , "EEE dd MMM yyy HH:mm:ss" ] #Mon 27 Apr 2015 12:56:33 GMT
}
}
output {
stdout { codec => rubydebug }
}
However, I am getting a grok prase failure, I am not sure what the problem is. cant seem to pin point the pattern that is causing the problem. Any thoughts/comments would be appreciated.
Upvotes: 0
Views: 1703
Answers (2)
Reputation: 11
The timestamp in your log example does not match the TIMESTAMP_ISO8601 pattern. You could try other patterns, but I suspect the double space between "Mon" and "27" will be a problem, and I don't see "GMT" matching the TZ pattern. You could try adding your own pattern file with a TZORGMT entry and then use it in a match like this:
TZORGMT (?:[PMCE][SD]T|UTC|GMT)
%{URI:uriaccessed},%{NUMBER:httpcode},%{WORD:httpcodeverb},%{NUMBER:bytes},date=%{DAY} %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{TZORGMT}
The grok debugger at https://grokdebug.herokuapp.com/ is helpful for debugging things like this.
If you're then going to do a date { match }, you'll need to write a pattern for that, something like:
"dd MM YYYY HH:mm:ss ZZ"
Upvotes: 1
Reputation: 16362
TIMESTAMP_ISO8601 matches:
%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
and your date is not in that format. There doesn't seem to be a predefined pattern for you, so here's one that will work:
%{DAY} +%{MONTHDAY} %{MONTH} %{YEAR} +%{TIME} %{WORD}
Note that %{TZ} doesn't like GMT, so I used %{WORD}.
Good luck.
Upvotes: 3
Related Questions
- Logstash grok config error - while parsing file name
- logstash grok filter-grok parse failure
- GROK parse failure for logstash
- Logstash grok filter error "_grokparsefailure"
- Trying to parse a custom log using grok
- Logstash Grok Parsing Issue
- Logstash grok pattern issue
- Getting logstash log parse error: grokparsefailure
- logstash: grok parse failure
- Logstash - grok not parsing even with grokdebugger being happy