Can't get IIS Log row to match Grok-pattern

johanwallenborg · January 21, 2020, 4:19pm

Hello,

I'm getting grokfailures on some of the lines on my IIS log parsing and currently i'm banging my head towards a wall.

My pattern look like this:

%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:event.duration:long} %{IPORHOST:temp.proxy.ip}

And I want to match this row (probably more later):

2019-09-30 00:34:07 1.1.1.1 GET / - 443 - 2.2.2.2 Pingdom.com_bot_version_1.4_(http://www.pingdom.com/),Pingdom.com_bot_version_1.4_(http://www.pingdom.com/) - 200 0 0 40844 206 204 -

Can you see see something obvious?

Badger · January 21, 2020, 8:20pm

- does not match IPORHOST. IPORHOST can contain -, but cannot start with it.

Fabio-sama · January 22, 2020, 10:59am

Agree with Badger. Put {IPORHOST:temp.proxy.ip}? as you last match (basically add a question mark at the end of the grok).

johanwallenborg · January 22, 2020, 4:50pm

Thanks!
But what difference makes ? at the end?

Fabio-sama · January 22, 2020, 5:03pm

It makes all the difference. Because if you don't put the ?, he looks for an IP or an HOST, find a - and breaks. If you put the ? it looks for 0 or 1 occurrence of IP or HOST. It means that if it doesn't match any occurrences (as in your case since it finds - which is not matched by IPORHOST) it doesn't break.

system · February 19, 2020, 5:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.