Grok not able to parse log data

(Aditya Srivastava) #1

I want to write a grok in logstash filter
Input string is

{"@timestamp":"2016-11-11T13:16:20.447Z","beat":{"hostname":"ip-1-2-3-4","name":"ip-1-2-3-4","version":"5.0.0"},"input_type":"log","message":"Nov 11 13:17:23 ip-10-0-4-2 nginx01 - - [11/Nov/2016:11:40:53 +0530] "/GET name=aditya" 200 7589 resptime=0.016 - -- -","offset":28928355,"source":"/var/log/data/","type":"nginx_data"}

The grok filter i am applying is

grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}
%{GREEDYDATA:syslog_message}" }

But this is not working. Please help me what is wrong in it??

(ruflin) #2

This question is probably better fitted for the Logstash forum. Perhaps one of the grok debug apps can help?

(Aditya Srivastava) #3

I found a solution to it.
Also I wanted to know if my access log file has different kinds of data getting logged can I put multiple filter to parse each kind of lines being logged., EX

"Nov 11 12:51:11 ip-10-0-0-2 nginx - - [11/Nov/2016:11:42:10 +0530] "GET name=aditya HTTP/1.1" 504
Jan 1 06:25:43 mailserver14 postfix/cleanup[21403]: BEF25A72965:

So you can see there are two different kind of data getting logged in same file.
So now can I put multiple filters to handle each kind of logs???

(Magnus B├Ąck) #4

You can put any number filters in your configuration file.

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.