Open jsvd opened 7 years ago
Migrated from https://github.com/elastic/logstash/issues/7281 Created by @ror6ax
I'm having an issue with grok.
I've wrote a string to match
10.155.16.115 - - [30/May/2017:08:53:41 +0000] "GET /sqi HTTP/1.1" 404 16 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
using the pattern:
^%{IPORHOST:CLIENTIP} - - \[(?:[+-]?(?:[0-9]+))/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} \+0000] \"%{WORD:HTTP_METHOD} %{GREEDYDATA:URL} HTTP.*\" %{NUMBER:HTTP_STATUS} .*$
It works in http://grokdebug.herokuapp.com/ and gives me _grokparsefailure in ELK.
Now, I started reducing number of elements and came to weird situation. My logstash chokes on every parsing except, well not parsing - %{GREEDYDATA:message}
How can i debug/fix this?
Migrated from https://github.com/elastic/logstash/issues/7281 Created by @ror6ax
I'm having an issue with grok.
I've wrote a string to match
10.155.16.115 - - [30/May/2017:08:53:41 +0000] "GET /sqi HTTP/1.1" 404 16 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"using the pattern:
^%{IPORHOST:CLIENTIP} - - \[(?:[+-]?(?:[0-9]+))/%{MONTH}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND} \+0000] \"%{WORD:HTTP_METHOD} %{GREEDYDATA:URL} HTTP.*\" %{NUMBER:HTTP_STATUS} .*$It works in http://grokdebug.herokuapp.com/ and gives me _grokparsefailure in ELK.
Now, I started reducing number of elements and came to weird situation. My logstash chokes on every parsing except, well not parsing - %{GREEDYDATA:message}
How can i debug/fix this?