Grok filter not working

beato1234 · August 16, 2018, 11:46pm

LogFile

[0808 16:08:51 EAT] INFO 47260019218176 profile | Start Statistics Info
[vitual server] = 10.6.2.38:8080
recv called count = 1620

input {
file {
path => "/home/babukuse/data/profile.log.15"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "[%{SYSLOGTIMESTAMP:syslog_timestamp}][%{WORD:virtualserver}] %{IP:virtualserverIP} %{WORD:recv called count}%{NUMBER:request}" }
}
}
output {
elasticsearch { hosts => ["10.184.8.113:9200"]
index =>["machine4"]}
stdout { }
}

Output.
{
"host" => "svdt5cbs55ml.safaricom.net",
"@version" => "1",
"path" => "/home/babukuse/data/profile.log.15",
"@timestamp" => 2018-08-16T23:37:06.726Z,
"tags" => [
[0] "_grokparsefailure"
],
"message" => "[vitual server] = 10.6.2.38:8080"
}
{
"host" => "svdt5cbs55ml.safaricom.net",
"@version" => "1",
"path" => "/home/babukuse/data/profile.log.15",
"@timestamp" => 2018-08-16T23:37:06.704Z,
"tags" => [
[0] "_grokparsefailure"
],
"message" => "[0808 16:08:51 EAT] INFO 47260019218176 profile | Start Statistics Info"
}
{
"host" => "svdt5cbs55ml.safaricom.net",
"@version" => "1",
"path" => "/home/babukuse/data/profile.log.15",
"@timestamp" => 2018-08-16T23:37:06.727Z,
"tags" => [
[0] "_grokparsefailure"
],
"message" => "recv called count = 1620 "
}

magnusbaeck · August 17, 2018, 6:38am

By default the file input reads lines one by one. If you want to join multiple physical lines into a single event you need to use a multiline codec.

beato1234 · August 17, 2018, 7:12am

Hi,

I used almost the same filter in below file path and it worked, what makes the two files different?

55.3.244.1 GET /index.html 15824 0.043

input {
file {
path => "/home/babukuse/data/profile.log.15"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
output {
elasticsearch { hosts => ["10.184.8.113:9200"]
index =>["machine4"]}
stdout { }

Please advise

magnusbaeck · August 17, 2018, 7:42am

I don't understand what you mean. Those are two completely different log files with completely different grok filters. One of the filters matches its input log file and the other one doesn't.

system · September 14, 2018, 7:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.