Grok not able to parse log data

Aditya_Srivastava · November 11, 2016, 8:22am

I want to write a grok in logstash filter
Input string is

{"@timestamp":"2016-11-11T13:16:20.447Z","beat":{"hostname":"ip-1-2-3-4","name":"ip-1-2-3-4","version":"5.0.0"},"input_type":"log","message":"Nov 11 13:17:23 ip-10-0-4-2 nginx01 10.100.200.400 - - [11/Nov/2016:11:40:53 +0530] "/GET name=aditya" 200 7589 resptime=0.016 - -- -","offset":28928355,"source":"/var/log/data/10.4.2.9/nginx01/2016-11-11.log","type":"nginx_data"}

The grok filter i am applying is

grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}
%{SYSLOGHOST:syslog_hostname}
%{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:
%{GREEDYDATA:syslog_message}" }
}

But this is not working. Please help me what is wrong in it??

ruflin · November 11, 2016, 11:51am

This question is probably better fitted for the Logstash forum. Perhaps one of the grok debug apps can help? https://grokdebug.herokuapp.com/

Aditya_Srivastava · November 11, 2016, 11:57am

I found a solution to it.
Also I wanted to know if my access log file has different kinds of data getting logged can I put multiple filter to parse each kind of lines being logged., EX

"Nov 11 12:51:11 ip-10-0-0-2 nginx 10.140.201.104 - - [11/Nov/2016:11:42:10 +0530] "GET name=aditya HTTP/1.1" 504
Jan 1 06:25:43 mailserver14 postfix/cleanup[21403]: BEF25A72965: message-id=20130101142543.5828399CCAF@mailserver14.example.com

So you can see there are two different kind of data getting logged in same file.
So now can I put multiple filters to handle each kind of logs???

magnusbaeck · November 11, 2016, 12:44pm

You can put any number filters in your configuration file.

system · December 9, 2016, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.