SLFl
Reputation: 313
Parsing data with grok filter on logstash
I'm having problems using grok filter on logstash. I have this log:
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000]
And I want to parse the IP and the date. I have the code below but I'm getting no matches.
^%{IPV4:req_id} - - \[(?<date>%{DAY}/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} +0000)]
What am I doing wrong? Thanks!
Upvotes: 1
Views: 503
Answers (1)
Wiktor Stribiżew
Reputation: 627535
You should change %{DAY} (=day of the week name) to %{MONTHDAY} (to match the numbers) and escape the + to match it as a literal + char:
^%{IPV4:req_id} - - \[(?<date>%{MONTHDAY}/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} \+0000)]
^^^^^^^^^^^ ^
As suggested by Calvin Taylor, you may further enhance the pattern to match any ISO8601 time zone with %{ISO8601_TIMEZONE} instead of \+0000:
^%{IPV4:req_id} - - \[(?<date>%{MONTHDAY}/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})]
^^^^^^^^^^^^^^^^^^^
See Grok patterns:
MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
Upvotes: 3
Related Questions
- GROK Parsing with regex
- logstash log parsing with regex and grok
- RegEx Filter Works In RegExr But Not Logstash Grok
- grok parsing issue
- Regular expressions for grok pattern
- Custom Grok regular expression matcher
- Logstash grok filter regex
- Logstash Grok pattern with multiple matches
- how do you parse text in grok
- Logstash grok pattern to filter custom Log message