mai_le
August 8, 2016, 10:05am
1
Hello,
I'm trying to parse the log below:
"------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;"
And sometimes I have emty fields like this:
Here is my grok:
grok {<demand_time>%{DATE_EU} %{TIME});(?<response_time>%{DATE_EU} %{TIME});%{NOTSPACE:method};%{NOTSPACE:version};(?<return_code>(.)*?);(?<return_label>(.)*?);"}
I tried this grok with the grok debugger. It worked well with the both cases.
Can anyone help me with this issue? Is there any error in my grok?
Thank you in advance for your help.
1 Like
apelsina
August 8, 2016, 8:21pm
2
Try escape the newline symbol in your pattern: write '\\n' instead of '\n' in your config. For me it worked:
Pipeline main started
------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;
{
"message" => "------------------------------------------------------------------------------------------------------------------------\\\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;",
"@version" => "1",
"@timestamp" => "2016-08-08T20:15:17.787Z",
"host" => "homesweethome",
"demand_time" => "01/03/2016 19:05:15",
"response_time" => "01/03/2016 19:05:18",
"method" => "Method",
"version" => "V2.1",
"return_code" => "9999",
"return_label" => "Error"
}
------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;;;
{
"message" => "------------------------------------------------------------------------------------------------------------------------\\\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;;;",
"@version" => "1",
"@timestamp" => "2016-08-08T20:15:39.747Z",
"host" => "homesweethome",
"demand_time" => "01/03/2016 19:05:15",
"response_time" => "01/03/2016 19:05:18",
"method" => "Method",
"version" => "V2.1"
}
Without '\n' escaped I got the _grokparsefailure, too.
mai_le
August 9, 2016, 7:43am
3
Thank you very much for your answer.
Finally it works well with this grok:
grok {<demand_time>%{DATE_EU} %{TIME});(?<response_time>%{DATE_EU} %{TIME});(?<method>[\w\d]+);(?<version>[\w\d\.]+);(?<return_code>(.)*?);(?<return_label>(.)*?);"}
I added "keep_empty_captures => true" to keep my empty values.
Best regards.
I am having this issue as well but your fix is not helping.
grok:
grok {
keep_empty_captures => true
match => {
message => "%{TIMESTAMP_ISO8601:DateTime},%{WORD:event_type},%{BASE10NUM:log_ver},%{BASE10NUM:imsi},%{BASE10NUM:imei},%{WORD:tmsi},%{BASE10NUM:mcc},%{BASE10NUM:mnc},%{BASE10NUM:lac},%{WORD:acceptorreject},%{BASE10NUM:cause_code},%{WORD:IsInWhitelist},%{WORD:IsAGuest}"
}
}
Line I am trying to parse:
Any help would be appreciated!
1 Like