Grok parsing failure but working in the debugger

lucia_vargas_a · March 8, 2020, 3:22pm

Hi friends,
Cn you help me?

I am trying to parse a log and ingest to elasticsearch. One line looks like this:

2020-03-05 20:42:32 ERROR ConnectionError 404 1000 http://localhost/resources

My config file looks like this:

input {
file {
path => "/Users/.../log_connections.log"
start_position => "beginning"
sincedb_path => "NUL"
sincedb_clean_after => "2 seconds"
}
}
filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601} %{WORD:log_type} %{WORD:message_type} %{INT:status_code} %{INT:timeout} %{SPACE:file} %{SPACE:destination} %{SPACE:message} (%{URIPROTO:uri_proto}://(?:%{URIHOST:uri_host})?(?:%{URIPATH:uri_param})?)?"}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
action => "index"
index => "log"
document_type => "log"
}
}

In the debugger (http://grokdebug.herokuapp.com/) it parses correctly, but when running logstash with my config file it creates the index but does not parse the line, and adds a tag:

  "tags" : [
        "_grokparsefailure"
      ]

I am running it in MACOSX with Logstash v7.5.2

Thanks in advance!

Badger · March 8, 2020, 3:58pm

I would not expect that to match unless there are four spaces between the timeout and the URL.

lucia_vargas_a · March 9, 2020, 3:11pm

Badger thanks for checking
There are 4 spaces, probably when I pasted it they got removed
The problem happens when running logstash config file
The debugger works fine, with the URL and the spaces

lucia_vargas_a · March 9, 2020, 3:22pm

Solved. Must use single quotes instead of double quotes
Cheers,

system · April 6, 2020, 3:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.