Can't get IIS Log row to match Grok-pattern


I'm getting grokfailures on some of the lines on my IIS log parsing and currently i'm banging my head towards a wall. :slight_smile:

My pattern look like this:

%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:event.duration:long} %{IPORHOST:temp.proxy.ip}

And I want to match this row (probably more later):

2019-09-30 00:34:07 GET / - 443 - Pingdom.com_bot_version_1.4_(,Pingdom.com_bot_version_1.4_( - 200 0 0 40844 206 204 -

Can you see see something obvious? :slight_smile:

- does not match IPORHOST. IPORHOST can contain -, but cannot start with it.

Agree with Badger. Put {IPORHOST:temp.proxy.ip}? as you last match (basically add a question mark at the end of the grok).

1 Like

Thanks! :slight_smile:
But what difference makes ? at the end?

It makes all the difference. Because if you don't put the ?, he looks for an IP or an HOST, find a - and breaks. If you put the ? it looks for 0 or 1 occurrence of IP or HOST. It means that if it doesn't match any occurrences (as in your case since it finds - which is not matched by IPORHOST) it doesn't break.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.