I don't know what's wrong here. Grok matches for access.log but when creating index pattern in KIBANA logs showing _grokparsefailure
I'm using ELK version of 6.5.4.
Sample log -
157.50.50.50 - - [28/Mar/2020:13:36:28 +0530] "GET /my/v1/acc/card?density=XHDPI HTTP/1.1" 200 541 "-" "-" "okhttp/3.12.1"rt=0.056 uct="0.000" uht="0.055" urt="0.055" uaddr="10.22.33.44:8080"
I created 3 groks all are matching but none are working. conf file & 3 groks are below -
filter {
if "access" in [log_type] {
grok {
match => { "message" => "(?:%{IP:clientip1}|-) (?:%{IP:clientip2}|-) (?:%{IP:clientip3}|-) \[%{HTTPDATE:timelog}\] \"%{WORD:verb} %{URIPATH:request}?(?:%{URIPARAM:url_querystring})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{DATA:blank1}|-) (?:%{DATA:blank2}|-) %{DATA:agent}rt\=%{NUMBER:rt} uct\=\"%{DATA:uct}\" uht\=\"%{DATA:uht}\" urt\=\"%{DATA:urt}\" uaddr\=\"%{DATA:uaddr}\"" }
# match => { "message" => "(?:%{IP:clientip1}|-) (?:%{IP:clientip2}|-) (?:%{IP:clientip3}|-) \[%{HTTPDATE:timelog}\] \"%{WORD:verb} %{URIPATH:request}?(?:%{URIPARAM:url_querystring})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:\"(?:%{URI:referrer}|-)\"|%{DATA:referrer}) %{DATA:agent}rt\=%{NUMBER:rt} uct\=\"%{DATA:uct}\" uht\=\"%{DATA:uht}\" urt\=\"%{DATA:urt}\" uaddr\=\"%{DATA:uaddr}\"" }
# match => { "message" => "(?:%{IP:clientip1}|-) (?:%{IP:clientip2}|-) (?:%{IP:clientip3}|-) \[%{HTTPDATE:timelog}\] \"%{WORD:verb} %{URIPATH:request}?(?:%{URIPARAM:url_querystring})? HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) \"%{DATA:referrer1}\" (?:\"(?:%{URI:referrer}|-)\"|%{DATA:referrer}) %{DATA:agent}rt\=%{NUMBER:rt} uct\=\"%{DATA:uct}\" uht\=\"%{DATA:uht}\" urt\=\"%{DATA:urt}\" uaddr\=\"%{DATA:uaddr}\"" }
}
}
}
output {
if "access" in [log_type] {
elasticsearch {
hosts => ["10.5.10.5:9200"]
index => "<gg-check-{now/d}>"
}
}
}
Please help & suggest. Thanks in advance.