Grok match handel special characters, _grokparsefailure


(Gideon Overeem) #1

I'm using this grok code
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
}

This fails "_grokparsefailure" when the page / url has [1].jpg in them or characters with ë or ä in the url etc.

Wat solution is there?


(Magnus Bäck) #2

The URIPATH pattern is probably too restrictive. Use NOTSPACE instead of URIPATH for capturing the page field?


(Gideon Overeem) #3

Thank you for the quick answer, I will try it out, I just saw this section, what I couldn’t find yesterday _grokparsefailure when parsing IIS logs if the %{URIPATH:page} has square brackets [] in it were you answered the same.


(Rasmus Rådberg) #4

Exactly the answer I was looking for debugging danish characters in page.
Thank you


(system) #5