Grok filter not working properly

<filter {
grok {
match => [
"message" , "%{IP:access-ip1} %{IP:access-ip2} - - [%{NOTSPACE:access-timestamp} +%{INT}] "%{WORD:access-httpmethod} %{NOTSPACE:access-request} %{WORD:acc
ess-protocol}/%{NUMBER:access-protocolversion}" %{INT:access-status} %{INT:access-responsesize} %{INT:access-responsetime} "-" "%{WORD} %{WORD} %{NOTSPACE}" [ %{
WORD} %{WORD} %{WORD}= %{INT:access-responsetimeinmicrosec}%{GREEDYDATA}"
overwrite => [ "message" ]

Below is the data I am passing

  • IP - - [11/Jan/2019:12:15:26 +0000] [URL ] "POST /URI HTTP/1.1" 200 0 225966 "URL" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" [ TIME in microsec= 350375 ]

Also in grok debugger its giving proper output.

Above is the grok filter I am using. While trying to get details in kibana it is not filtering details as per the above but instead showing original message line as is.

I even tried to use single filter instead all but all went in vain.

Please suggest what is wrong with above.

There is no way to know what is wrong with the filter if you do not give an example of the data you expect it to parse.

Also, please either select the configuration and click on </> in the toolbar above the edit pane, or else precede and follow it with lines containing three backticks ```. That way the formatting will be preserved.

The pattern does not match the data. The data starts with IP, and the pattern expects two IP addresses to come first. There are other mismatches elsewhere. If your data starts with an IP address then start off with an anchored pattern

grok { match => { "message" => [ "^%{IP:access-ip1}" ] } }

If that works then update the pattern to capture the next field. Do not add more another field until the previous one works.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.