GROK Expression Invalid JSON

jamesm1 · February 8, 2022, 1:32pm

Hello - I am attempting to create a GROK expression for an APACHE log. I have gotten the expression working in the GROK debugger and other tools - However when i try to add it in as a line into the Ingestion Pipeline i get the message back that its invalid JSON.

Please can someone tell me where i am going wrong with this

%{IPORHOST:source.IP} %{DATA:logname}? %{DATA:username}? \[%{HTTPDATE:apache.access.time}\] \\"%{WORD:http.request.method} %{DATA:http.request.header}\\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-) \\("%{DATA:http.request.referrerurl}\\") \\"%{DATA:user_agent.original}\\"? CF-Ray: %{WORD:http.response.CFRayID}?

spinscale · February 8, 2022, 1:39pm

Can you share the full pipeline plus an example document? Best would be to share the Simulate Pipeline API as it is a breeze for others to reproduce your problem.. See Simulate pipeline API | Elasticsearch Guide [7.17] | Elastic

system · March 8, 2022, 1:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.