Grok match handel special characters, _grokparsefailure

govereem · July 13, 2016, 2:10pm

I'm using this grok code
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
}

This fails "_grokparsefailure" when the page / url has [1].jpg in them or characters with ë or ä in the url etc.

Wat solution is there?

magnusbaeck · July 13, 2016, 2:25pm

The URIPATH pattern is probably too restrictive. Use NOTSPACE instead of URIPATH for capturing the page field?

govereem · July 14, 2016, 7:01am

Thank you for the quick answer, I will try it out, I just saw this section, what I couldn’t find yesterday _grokparsefailure when parsing IIS logs if the %{URIPATH:page} has square brackets [] in it were you answered the same.

rasmusraadberg · May 31, 2017, 12:14pm

Exactly the answer I was looking for debugging danish characters in page.
Thank you