Can't parse my data logs- -getting _grokparsefailure

Hello , any body can help me please to parse this log file (https_access files from apache tomcat) , i've try with many patterns but i always get ["_grokparsefailure"]

Those are two lines from my data logs :

172.23.10.200 46802 172.23.12.8 8084 172.23.10.200 POST - /PitneyBowse/Kering_Validate/MailingAddressPro 2208 2.208 2208 http-nio-8084-exec-36 - [05/Apr/2018:08:04:39 +0200] 200 704 - Apache-HttpClient/4.2.1 (java 1.5)

172.23.10.200 46732 172.23.12.8 8084 172.23.10.200 GET - ?q=organization.brand:"BV"+AND+name.last.local:(Koushik+OR+Koushik*)&&fl=client_id,name.last.local,num,phone.home.num,activity.registr_store /IODSTranscodes/diods1/customerv2 35 0.035 35 http-nio-8084-exec-36 - [05/Apr/2018:08:26:31 +0200] 200 11761 - Java/1.7.0_85

this is pattern that i use in grok :

grok {
match => { "message" =>"%{IP:address_ip_source} %{INT:port1} %{IP:address_ip_dest} %{INT:port2} %{IP:address_ip_source_dbl} %{WORD:request_method} - %{GREEDYDATA:message_or-request} %{INT:port3} %{NUMBER:duration} %{INT:port4} %{GREEDYDATA:http-nio} - %{TIMESTAMP_ISO8601:timestamp} %{INT:response_http_status_code} %{INT:nbr} %{GREEDYDATA:extra_msg} %{GREEDYDATA:extra_msg}"
}
}

thank you.

Hey Sara,

It looks like the timestamp you're trying to grok for is not a valid ISO 8601 format so it won't match the grok filter you're using:

TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?

Perhaps try using \[%{HTTPDATE:timestamp}\] instead of {TIMESTAMP_ISO8601:timestamp}. It looks like it should parse correctly:

Data:
[05/Apr/2018:08:04:39 +0200]

Pattern:
\[%{HTTPDATE:timestamp}\]

Output:

{
  "timestamp": "05/Apr/2018:08:04:39 +0200"
}

I've tested on both your example data sets and it's parsing correctly, let me know if that works for you.

Cheers,
Mike

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.