Custom Pattern is not working in Logstash


(Ramya) #1

Hi

i have written custom pattern to match a String in my log file

the pattern is
*REQUEST ^/WebApp_. **

my logstash configuration is

grok{
patterns_dir => ["/home/Desktop/patterns"]
match => {
"message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:logTime}] "%{WORD:method} %{REQUEST} HTTP/%{NUMBER:httpversion}\" %{NUMBER:status} %{QS:referrer} %{QS:agent} %{NUMBER:responseTime}'
}

}

sample log line is

x.x.x.x - - [26/Feb/2018:05:16:23 +0000] "POST /WebApp_ID/UserController HTTP/1.1" 200 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko" 11

when running the above configuration i am getting grockParseFailureException,What mistake i did here?? Please help me


(Robert Cowart) #2

This pattern works for me...

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:logTime}\] \"%{WORD:method} %{URIPATH} HTTP/%{NUMBER:httpversion}\" %{NUMBER:status} %{QS:referrer} %{QS:agent} %{NUMBER:responseTime}

You forgot to escape the square brackets and the opening quotation mark before the method. I also switched from using your custom REQUEST pattern to using the included URIPATH.

FYI... there is a Grok debugger included in X-Pack basic, or you can use https://grokdebug.herokuapp.com/ They both work the same (and even share a common bug).

Rob

Robert Cowart (rob@koiossian.com)
www.koiossian.com
True Turnkey SOLUTIONS for the Elastic Stack


(Ramya) #3

Sorry this is not the solution for me, i want to write my custom pattern and i have to use that in configuration


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.