Grok not parsing any pattern

werther158 · January 29, 2021, 4:14pm

Hi, I'm trying to parse some apache logs like this:

46.105.14.53 - - [20/May/2015:21:05:15 +0000] "GET /blog/tags/puppet?flav=rss20 HTTP/1.1" 200 14872 "-" "UniversalFeedParser/4.2-pre-314-svn +http://feedparser.org/"

Filebeat is fetching logs and they are going through Logstash, Elasticsearch and Kibana correctly.
Here is my logstash.conf:

input {
  beats {
    port => 5044
  }
}
filter {
    grok {
      match => {"message" => "%{IPORHOST:clientip}"}
      remove_field => ["message"]
    }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}"
  }
}

Here I'm trying to use a very simple Grok pattern that works on Grok Debugger. On Kibana I have the entire "message" field as if no filter has been applied.

Any help would be really appreciated.
Thank you, regards.

system · February 26, 2021, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble parsing apache log using custom grok pattern Logstash	3	1531	December 27, 2018
Grok Filter Parsing Failure Logstash	6	2556	March 23, 2017
Grok Parse Failure Logstash	3	991	July 6, 2017
_grokparsefailure but grok debugger looks good Logstash	18	2815	August 19, 2021
Grok pattern not being applied in logstash but working on grok debugger Logstash	3	599	September 29, 2017

Grok not parsing any pattern

Related topics