Grok not parsing any pattern

werther158 · January 29, 2021, 4:14pm

Hi, I'm trying to parse some apache logs like this:

46.105.14.53 - - [20/May/2015:21:05:15 +0000] "GET /blog/tags/puppet?flav=rss20 HTTP/1.1" 200 14872 "-" "UniversalFeedParser/4.2-pre-314-svn +http://feedparser.org/"

Filebeat is fetching logs and they are going through Logstash, Elasticsearch and Kibana correctly.
Here is my logstash.conf:

input {
  beats {
    port => 5044
  }
}
filter {
    grok {
      match => {"message" => "%{IPORHOST:clientip}"}
      remove_field => ["message"]
    }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}"
  }
}

Here I'm trying to use a very simple Grok pattern that works on Grok Debugger. On Kibana I have the entire "message" field as if no filter has been applied.

Any help would be really appreciated.
Thank you, regards.

system · February 26, 2021, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble parsing apache log using custom grok pattern Logstash	3	1529	December 27, 2018
_grokparsefailure but grok debugger looks good Logstash	18	2791	August 19, 2021
Grok parse does not work, but looks fine on the debugger Logstash	10	693	July 26, 2020
Grok pattern not being applied in logstash but working on grok debugger Logstash	3	599	September 29, 2017
Can't fix _grokparsefailure Logstash	6	471	January 9, 2019

Grok not parsing any pattern

Related Topics