Grok seems not working anymore

Elastic Stack Logstash
1

I'm trying to import nginx logs into ES, i'm using this patterns
NGUSERNAME [a-zA-Z\.\@\-\+_%]+ NGUSER %{NGUSERNAME} NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for}

all logs were successfully imported, here is a screenshot in kibana

screenshot-localhost 7005 2016-02-26 17-55-54.png1130×487 46.9 KB

but when I test my pattern , the result is

screenshot-grokconstructor.appspot.com 2016-02-26 17-59-48.png1110×378 49 KB

why I did not get all the fields? like clientip, agent? in kibana there is a message field, without clientip field I can not analyze the ip count

here is the grok in logstash config file, :

filter {
if [type] == "nginx-access"{
grok {
    match => { "message" => "%{NGINXACCESS}" }
}
date {
    match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
    source => "clientip"
}
}
}

hope someone can help me look it to it Thank you

2

Your actual log entry ends with a user agent string but that's not what your grok pattern ends with. You won't get any fields unless you get a match. This is different from wherever you tested your pattern, where apparently all matched fields are shown even though the expression as a whole didn't match. That site also tells you "NOT MATCHED".

3

I see ! sorry for the late reply! thank you !