Hi!
I have this grok pattern:
RTMPLOGV %{IPORHOST:ipclient} \[%{HTTPDATE:timestamp}\] %{WORD:command} "%{GREEDYDATA:app}" "%{WORD:name}" %{DATA} %{NUMBER:bytesreceived} %{NUMBER:bytessent} "%{URI:url}" "%{HOSTNAME:flashhost} %{GREEDYDATA:flashversion}" %{TIMEVISION:timevision}
TIMEVISION ([ (]?%{MONTHDAY:days}d)?([ (]?%{HOUR:hours}h)?([ (]?%{BASE10NUM:mins}m)?[ (]?% {BASE10NUM:secs}s[)]
For this log:
111.111.111.111 [24/Oct/2016:18:46:00 +0200] PLAY "x-mix" "live" "" - 480 207101 "https://x.es/x" "WIN 23,0,0,185" (7s)
My logstash filter is:
filter {
if [type] == "rmtp"{
grok {
patterns_dir => ["patterns.grok"]
match => { "message" => "%{RTMPLOGV}" }
}
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
timezone => "Europe/Madrid"
target => "@timestamp"
}
geoip{
source => "ipclient"
}
}
And the logstash console return this:
{
"path" => "C:\\Users\\user\\Desktop\\rtmp.log",
"@timestamp" => 2017-03-16T13:51:55.394Z,
"geoip" => {},
"@version" => "1",
"host" => "RS-000064",
"message" => "111.111.111.111 [24/Oct/2016:18:46:00 +0200] PLAY \"x-mi
x\" \"live\" \"\" - 480 207101 \"https://x/x\" \"WIN 23,0,0,185\" (
7s)\r",
"type" => "rtmp",
"tags" => [
[0] "_geoip_lookup_failure"
]
}
Why?
Thanks in advance 