Grok isn't getting parsed (grok debugger is parsing it fine but it's throwing error in logstash)

 - "22/Nov/2023:12:21:04 +0530" 196.24.23.101 GET "GET /api/status HTTP/1.1" 191 200 439 83 - "nginx/1.23.4 (health check server_103.225.61.177_Pool-1_http_ok)" 127.0.0.1:8080 200 0.002 0.002 0.000 0.002 - pauth.mumbcms.hydtimes.com - - - - - - - -
103.18.141.27, 23.45.91.202, 23.212.50.121 "22/Nov/2023:12:21:05 +0530" 196.21.108.44 POST "POST /oauth/api/merchant/BOI/token HTTP/1.1" 1447 200 2004 867 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36" 127.0.0.1:8080 200 0.943 0.942 0.000 0.942 - pauth.mumbcms.hydtimes.com vaCo1Dl9SGo2wVmzE78jo0FdSZShl9flZ0v0fO9hgVRCv - b2a8e883ec676f417520f422068a4742 04e2b3dc222d26d7ffa0ed3d3285cce6 iti219571 - {\x22grantType\x22:\x22refresh_token\x22,\x22ticketId\x22:\x223e90c3acad414c2bb5b6d5be4a543ed4\x22,\x22allMerchant\x22:true} -
93.112.40.146 "22/Nov/2023:12:21:05 +0530" 196.21.246.35 POST "POST /oauth/api/merchant/ET/token?ref=desktop HTTP/1.0" 4479 200 2550 835 https://mumbcms.hydtimes.com/ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 127.0.0.1:8080 200 0.598 0.598 0.001 0.598 - oauth2.mumbcms.hydtimes.com 66911495-ea51-4e3f-babb-8a5d5ae41e80 - b2a8e883ec676f417520f422068a4742 undefined 2o3hbq2uwdcly1f5bd1io03r1 2o3hbq2uwdcly1f5bd1io03r1 {\x22grantType\x22:\x22refresh_token\x22,\x22ticketId\x22:\x22e9a7e69fc8714bf1ad894ed13e60701c\x22,\x22deviceDetail\x22:\x22x64\x22,\x22allMerchant\x22:true} e9a7e69fc8714bf1ad894ed13e60701c
103.18.142.26, 23.45.91.202, 104.124.54.69 "22/Nov/2023:13:55:34 +0530" 196.21.108.44 POST "POST /api/token/generate HTTP/1.1" 761 200 1284 928 - "-" 127.0.0.1:8080 200 1.119 1.120 0.001 1.119 - pauth.mumbcms.hydtimes.com SM-G611FF_3ecaa1dd7ee49883 827f918a54aa4545ac439148275e772d 3bf38ae9028de021754be41c7b61170f - - - grant_type=refresh_token&restrict_input=0&merchantCode=NBTGOLD& - 

And Below is my pattern

{ "message" => "(?:%{IP:ip}|)%{SPACE:remoteip}(, %{IP})* \"%{HTTPDATE:timestamp}\" %{IP:clientip} %{WORD:method} "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:request_length} %{NUMBER:status} %{NUMBER:bytes_sent} (?:%{NUMBER:body_bytes_sent}|-) %{DATA:referer} %{QS:agent} %{DATA:upstream_addr} %{DATA:upstream_status} %{DATA:request_time} %{DATA:upstream_response_time} %{DATA:upstream_connect_time} %{DATA:upstream_header_time} %{DATA:upstream_cache_status} %{NOTSPACE:domain} %{DATA:X_DEVICE_ID} (?:%{DATA:X_TICKET_ID}|-) %{DATA:X_CLIENT_ID} %{DATA:X_SITE_APP_CODE} %{DATA:X_SSO_ID} %{DATA:ssoid} %{GREEDYDATA:additional_info}"}

Below is the error which logstash is throwing and there is no missing brackets or such errors.

 Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 14, column 130 (byte 328) after filter {\nif [type] == \"accesslogs\" {\n    grok {\nmatch => { \"message\" => \"(?:%{IPORHOST:ip}|)%{SPACE:remoteip}(, %{IP})* \\\"%{HTTPDATE:timestamp}\\\" %{IP:clientip} %{WORD:method} \"", :backtrace=>["/opt/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/opt/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/opt/logstash/logstash-core/lib/logstash/agent.rb:383:in `block in converge_state'"]}

Your error is not in grok, Logstash is not able to start your pipeline because of some configuration error.

Please share your entire configuration file.

Below configuration I'm using

input {
file {
    path => "/log/et-oauth/app.log"
    type => "applog"
}
file {
    path => "/var/log/nginx/access.log"
    type => "accesslogs"
}
}
filter {
if [type] == "accesslogs" {
    grok {
match => { "message" => "(?:%{IP:ip}|)%{SPACE:remoteip}(, %{IP})* "%{HTTPDATE:timestamp}" %{IP:clientip} %{WORD:method} "%{WORD:verb} %{DATA:request}%{NUMBER:httpversion}" %{NUMBER:request_length} %{NUMBER:status} %{NUMBER:bytes_sent} (?:%{NUMBER:body_bytes_sent}|-) %{DATA:referer} %{QS:agent} %{DATA:upstream_addr} %{DATA:upstream_status} %{DATA:request_time} %{DATA:upstream_response_time} %{DATA:upstream_connect_time} %{DATA:upstream_header_time} %{DATA:upstream_cache_status} %{NOTSPACE:domain}%{DATA:X_DEVICE_ID} (?:%{DATA:X_TICKET_ID}|-) %{DATA:X_CLIENT_ID} %{DATA:X_SITE_APP_CODE} %{DATA:X_SSO_ID} %{DATA:ssoid} %{GREEDYDATA:additional_info}" }

remove_field => ["tags","timestamp"]
 }


  if [size] == "-" {
    mutate {
       replace => [ "size", "0" ]
     }
    }
  }
}

output {
if [type] == "applog" {
  elasticsearch {
    hosts => ["logelastic.nytimes.com:80"]
    index => "et-oauth-applog-%{+YYYY.MM.dd}"
  }
  }
}

output {
if [type] == "accesslogs" {
  elasticsearch {
    hosts => ["logelastic.nytimes.com:80"]
    http_compression => true
    index => "et-oauth-webservernew-%{+YYYY.MM.dd}"
  }
  }
}

But if I just replace the grok pattern with below pattern it works fine but it doesn't parse the fields properly

%{DATA:xforwardedfor} \"%{HTTPDATE:timestamp}\" +%{IP:clientip} %{WORD:method} \"+%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" +%{NUMBER:request_length} %{NUMBER:status} (?:%{NUMBER:bytesSent}|-) (?:%{NUMBER:BodybytesSent}|-) %{DATA:referrer} %{QS:agent} %{DATA:upstream_addr} %{DATA:upstreamstatus} %{DATA:request_time} %{DATA:upstream_response_time} %{DATA:upstream_connect_time} %{DATA:upstream_header_time} %{DATA:upstream_cache_status} %{NOTSPACE:domain} %{DATA:X_DEVICE_ID} (?:%{DATA:X_TICKET_ID}|-) %{DATA:X_CLIENT_ID} %{DATA:X_SITE_APP_CODE} %{DATA:X_SSO_ID} %{DATA:ssoid} \{%{DATA:request_body}\}\s+%{GREEDYDATA:TicketId}

This last grok worked for me for two of your sample messages and failed for other two.

You need to investigate why it is failing for those specific messages, maybe you will need to build two different groks depending on your messages.

Your initial error was unrelated to grok, it was related to Logstash not being able to start your pipeline, the configuration you shared had some unescaped double quotes in your grok, if always need to escape the double quotes.

Yes I understand I tried to do that but I couldn't do as it's not clear to me at the moment. But the initial error is concerning if it works then it will parse everything.
I have two grok pattern which solves the two different messages but I fail to apply that through if else block. I will provide the grok pattern. If you could help in the if else block would be great.

This error:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main

Means that it is something wrong in your configuration and Logstash cannot start the pipeline.

It was probably caused by this:

match => { "message" => "(?:%{IP:ip}|)%{SPACE:remoteip}(, %{IP})* "%{HTTPDATE:timestamp}"

You have double quotes in your pattern without escaping it, it will not work, you need to escape all double quotes, that is why the last pattern you shared worked, the double quotes are escaped.

To escape I just have to use backward slash () before double quotes right ?

Yeah, just use \".

This particular log is getting parsed in debugger but not in logstash

2402:8100:2456:eab1:1:2:226b:58f7, 23.45.91.202, 23.212.50.121 "22/Nov/2023:20:31:38 +0530" 172.29.108.47 OPTIONS "OPTIONS /api/token/generate HTTP/1.1" 961 200 915 0 https://navbharattimes.indiatimes.com/ "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Mobile Safari/537.36" 127.0.0.1:8080 200 0.003 0.003 0.001 0.003 - oauth.economictimes.indiatimes.com - - - - - - - - 

This is what it is showing in kibana

message
2402:8100:2456:eab1:1:2:226b:58f7, 23.45.91.202, 23.212.50.121 "22/Nov/2023:20:31:38 +0530" 172.29.108.47 OPTIONS "OPTIONS /api/token/generate HTTP/1.1" 961 200 915 0 https://navbharattimes.indiatimes.com/ "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Mobile Safari/537.36" 127.0.0.1:8080 200 0.003 0.003 0.001 0.003 - oauth.economictimes.indiatimes.com - - - - - - - - 

This is what it is showing kibana

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.