logstash email Grok pattern

Question

I'm using logstash v7.9.2. i've used nlog in my .net core project for create logs. and i logged user email in log file. the log format is look like this.

<variable name="ExceptionLayout" value="${aspnet-request-url:IncludeHost=true:IncludePort=true:IncludeQueryString=true} ${aspnet-request-method} ${event-properties:item=UserId} ${event-properties:item=Email} ${event-properties:item=UserName} ${exception:format=tostring,Stacktrace}"/>
<variable name="CommonLayout" value="${longdate} [${processid}] ${uppercase:${level}} ${logger:shortName=true} ${aspnet-Request-Ip} ${message} ${onexception:inner=${ExceptionLayout}}"/>

and log example like this

021-02-13 11:08:22.6739 [20880] ERROR GroupController 10.10.3.241 Found Duplicate Group 'ty'. http://bhavin:12100/Groups POST 14390b07-9407-4abb-9504-34eb02d504c1 bhavin.v@gurukul.org AA2580 FinanceAPI.Execptions.InvalidDataException: Found Duplicate Group 'ty'. at FinanceAPI.Controllers.GroupController.Insert(Group group) in D:\Git\finance.api\FinanceAPI\Controllers\GroupController.cs:line 49 at FinanceAPI.Controllers.GroupController.Insert(Group group) in D:\Git\finance.api\FinanceAPI\Controllers\GroupController.cs:line 49

i'm trying this grok pattern for the above log.

"%{TIMESTAMP_ISO8601:Time} \[%{INT:ProcessId}]\ %{LOGLEVEL:Level} %{DATA:Logger} %{IPV4:ClientIp} %{URI:RequestUrl} %{WORD:RequestMethod} %{USER:UserID} %{EMAILADDRESS:Email} %{GREEDYDATA:Message}"

but it can't work.what am i doing wrong here?

Answer 1

You need to add %{DATA} between %{IPV4:ClientIp} and %{URI:RequestUrl} in order to match Found Duplicate Group 'ty'..