Grok filter - access log

kentatoi · March 13, 2019, 6:42pm

Hi there,

I am trying to apply my grok filter on my access log :

10.00.000.00 - - [08/Feb/2019:09:06:54 -0500] "GET /bea_wls_test_intern/wl_test HTTP/1.1" 404 1164

I am trying to apply that :

    input { stdin {} }

    filter {
       grok {
         match => { "message" => "%{COMMONAPACHELOG}" }
         OR
         match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} %{NUMBER:bytes}"]
            }
    }

    output { stdout { codec => rubydebug } }

but it doesn't work I have got an error :

[2019-03-13T14:38:34,887][ERROR][logstash.pipeline ] Error registering plugin {:pipeline_id=>"id", :plugin=>"#<LogStash::FilterDelegator:0x70116fa>", :error=>"end pattern with unmatched parenthesis:

Do you have an idea ?
Thank you

Badger · March 13, 2019, 6:51pm

You cannot use OR like that. Try

grok { match => { "message" => [ "^%{COMMONAPACHELOG}" ] } }

kentatoi · March 13, 2019, 7:00pm

It is the two filters that I tried .. I did not put OR for real ! I tried your suggestion but it doesn't work either . I tested my filter on the grok constructor it is supposed to work ...

Badger · March 13, 2019, 7:40pm

I tested both of your grok patterns and they both match the example line you gave.

"end pattern with unmatched parenthesis" would be caused by something like

    grok { match => { "message" => [ "^%(COMMONAPACHELOG}" ] } }

or even just

grok { match => { "message" => [ "(" ] } }

system · April 10, 2019, 7:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.