Grok patterns for nginx

Today I have text log format about nginx_access

{"timestamp": "2023-09-07T03:03:33+00:00", "remote_addr": "10.0.x.x", "remote_user": "-", "request_time": "0.002 s", "status_request": "200", "request_Size": "510", "request_method": "POST", "Url_request": "", "proxy_upstream_name": "prod-card-prod-card-apiflow-cardservices-svc-9003", "proxy_alternative_upstream_name": "", "upstream_addr": "", "upstream_status": "200", "response_Size": "227", "user_Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36", "response_time": "0.002 s", "namespace": "prod-card", "ingress_name": "prod-card-apiflow-cardservices-ingress", "service_name": "prod-card-apiflow-cardservices-svc", "service_port": "9003"}

So I tried analysis log format nginx to grok patterns but it is seem is false in the field"%{IPORHOST:remote_addr}"

%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:remote_addr} %{USER:remote_user} %{NUMBER:request_time} %{NUMBER:status_request} %{NUMBER:request_size} %{WORD:request_method} %{URIPATH:url_request} %{NOTSPACE:proxy_upstream_name} %{NOTSPACE:proxy_alternative_upstream_name} %{IPORHOST:upstream_addr} %{NUMBER:upstream_status} %{NUMBER:response_size} %{NOTSPACE:user_agent} %{NUMBER:response_time} %{NOTSPACE:namespace} %{NOTSPACE:ingress_name} %{NOTSPACE:service_name} %{NOTSPACE:service_port}

Please help me to quickly resolved . thank everyone very much

The log you shared is a json document, you should use the json filter, not the grok filter.

Try to use the following filter instead of grok

filter {
    json {
        source => "message"

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.