logstash-filter-grok icon indicating copy to clipboard operation
logstash-filter-grok copied to clipboard

Published 20 hours ago verified publisher icon logstash-plugins

weird grok behaviour

Open jsvd opened this issue 8 years ago • 0 comments

Migrated from https://github.com/elastic/logstash/issues/7281 Created by @ror6ax

I'm having an issue with grok.

I've wrote a string to match

10.155.16.115 - - [30/May/2017:08:53:41 +0000] "GET /sqi HTTP/1.1" 404 16 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"

using the pattern:

^%{IPORHOST:CLIENTIP} - - \[(?:[+-]?(?:[0-9]+))/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} \+0000] \"%{WORD:HTTP_METHOD} %{GREEDYDATA:URL} HTTP.*\" %{NUMBER:HTTP_STATUS} .*$

It works in http://grokdebug.herokuapp.com/ and gives me _grokparsefailure in ELK.

Now, I started reducing number of elements and came to weird situation. My logstash chokes on every parsing except, well not parsing - %{GREEDYDATA:message}

How can i debug/fix this?

jsvd avatar Jun 09 '17 15:06 jsvd