Grok match handel special characters, _grokparsefailure

I'm using this grok code
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]

This fails "_grokparsefailure" when the page / url has [1].jpg in them or characters with ë or ä in the url etc.

Wat solution is there?

The URIPATH pattern is probably too restrictive. Use NOTSPACE instead of URIPATH for capturing the page field?

1 Like

Thank you for the quick answer, I will try it out, I just saw this section, what I couldn’t find yesterday _grokparsefailure when parsing IIS logs if the %{URIPATH:page} has square brackets [] in it were you answered the same.

Exactly the answer I was looking for debugging danish characters in page.
Thank you