Grok seems not working anymore

Weizhen_Yan · February 26, 2016, 10:09am

I'm trying to import nginx logs into ES, i'm using this patterns
NGUSERNAME [a-zA-Z\.\@\-\+_%]+ NGUSER %{NGUSERNAME} NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for}

all logs were successfully imported, here is a screenshot in kibana

but when I test my pattern , the result is

why I did not get all the fields? like clientip, agent? in kibana there is a message field, without clientip field I can not analyze the ip count

here is the grok in logstash config file, :

filter {
if [type] == "nginx-access"{
grok {
    match => { "message" => "%{NGINXACCESS}" }
}
date {
    match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
    source => "clientip"
}
}
}

hope someone can help me look it to it Thank you

magnusbaeck · February 26, 2016, 2:37pm

Your actual log entry ends with a user agent string but that's not what your grok pattern ends with. You won't get any fields unless you get a match. This is different from wherever you tested your pattern, where apparently all matched fields are shown even though the expression as a whole didn't match. That site also tells you "NOT MATCHED".

Weizhen_Yan · March 1, 2016, 9:48am

I see ! sorry for the late reply! thank you !

Topic		Replies	Views
Problem grok pattern Logstash	6	1269	May 12, 2017
Add x-server header to kibana parsing Logstash	6	379	September 9, 2020
How to use grok pattern to separate nginx access log fields !? Logstash	4	5475	August 12, 2017
NGINX Log mapping Logstash	5	1476	July 6, 2017
Logstash not parsing default nginx logs Logstash	2	821	October 11, 2019

Grok seems not working anymore

Related topics