Getting _grokparsefailure error while inserting a log

pipeline.conf -

input {

file {

    path => "C:/ELK-Stack/logstash/event-data/test.log"

    start_position => "beginning"   

}

http {

host => "localhost"

port => 8088

}

}

filter {

grok {

match => { "message" => '%{HTTPD_COMMONLOG} "%{GREEDYDATA:referrer}" "%{GREEDYDATA:agent}"' }

}

}

output {

stdout {

    codec => rubydebug

}

}

INPUT -
PS C:\ELK-Stack\logstash> echo '57.85.164.98 - - [20/Sep/2017:15:31:04 +0200] "GET /js/main.js" 200 588 "https://codingxplained.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Saari/537.36"' >> event-data/test.log

OUTPUT -

[2018-10-08T12:20:18,496][INFO ][logstash.pipelineaction.reload] Reloading pipeline {"pipeline.id"=>:main}

[2018-10-08T12:20:18,502][INFO ][filewatch.observingtail ] QUIT - closing all files and shutting down.

[2018-10-08T12:20:18,973][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<

hread:0x18de59d7 run>"}

[2018-10-08T12:20:19,063][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"

>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}

[2018-10-08T12:20:19,125][INFO ][logstash.inputs.file ] No sincedb_path set, generating one based on the "path" set

ing {:sincedb_path=>"C:/ELK-Stack/logstash/data/plugins/inputs/file/.sincedb_12e914592f62e3b2d82064809f57dd43", :path=>

"C:/ELK-Stack/logstash/event-data/test.log"]}

[2018-10-08T12:20:19,142][INFO ][filewatch.observingtail ] START, creating Discoverer, Watch with file and sincedb col

ections

[2018-10-08T12:20:19,142][INFO ][logstash.inputs.http ] Starting http input listener {:address=>"localhost:8088", :

sl=>"false"}

[2018-10-08T12:20:19,146][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :threa

=>"#<Thread:0x6ca58ea7 sleep>"}

[2018-10-08T12:20:19,151][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main],

non_running_pipelines=>[]}

{

      "tags" => [

[0] "_grokparsefailure"

],

   "message" => "\u00005\u00007\u0000.\u00008\u00005\u0000.\u00001\u00006\u00004\u0000.\u00009\u00008\u0000 \u0000-

u0000 \u0000-\u0000 \u0000[\u00002\u00000\u0000/\u0000S\u0000e\u0000p\u0000/\u00002\u00000\u00001\u00007\u0000:\u00001\

00005\u0000:\u00003\u00001\u0000:\u00000\u00004\u0000 \u0000+\u00000\u00002\u00000\u00000\u0000]\u0000 \u0000"\u0000G\

0000E\u0000T\u0000 \u0000/\u0000j\u0000s\u0000/\u0000m\u0000a\u0000i\u0000n\u0000.\u0000j\u0000s\u0000"\u0000 \u00002\

00000\u00000\u0000 \u00005\u00008\u00008\u0000 \u0000"\u0000h\u0000t\u0000t\u0000p\u0000s\u0000:\u0000/\u0000/\u0000c\

0000o\u0000d\u0000i\u0000n\u0000g\u0000e\u0000x\u0000p\u0000l\u0000a\u0000i\u0000n\u0000e\u0000d\u0000.\u0000c\u0000o\u

000m\u0000/\u0000"\u0000 \u0000"\u0000M\u0000o\u0000z\u0000i\u0000l\u0000l\u0000a\u0000/\u00005\u0000.\u00000\u0000 \

0000(\u0000W\u0000i\u0000n\u0000d\u0000o\u0000w\u0000s\u0000 \u0000N\u0000T\u0000 \u00001\u00000\u0000.\u00000\u0000;\u

000 \u0000W\u0000i\u0000n\u00006\u00004\u0000;\u0000 \u0000x\u00006\u00004\u0000)\u0000 \u0000A\u0000p\u0000p\u0000l\u0

00e\u0000W\u0000e\u0000b\u0000K\u0000i\u0000t\u0000/\u00005\u00003\u00007\u0000.\u00003\u00006\u0000 \u0000(\u0000K\u00

0H\u0000T\u0000M\u0000L\u0000,\u0000 \u0000l\u0000i\u0000k\u0000e\u0000 \u0000G\u0000e\u0000c\u0000k\u0000o\u0000)\u000

\u0000C\u0000h\u0000r\u0000o\u0000m\u0000e\u0000/\u00006\u00000\u0000.\u00000\u0000.\u00003\u00001\u00001\u00002\u0000

\u00009\u00000\u0000 \u0000S\u0000a\u0000f\u0000a\u0000r\u0000i\u0000/\u00005\u00003\u00007\u0000.\u00003\u00006\u0000\

\u0000\r\u0000",

"@timestamp" => 2018-10-08T16:20:24.166Z,

  "@version" => "1",

      "host" => "LTDELL170",

      "path" => "C:/ELK-Stack/logstash/event-data/test.log"

}

Issue resolved by using the correct codec:
codec => plain{charset => 'UTF-16BE'}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.