Grok unable to handle symbol

Hi Admin,
I have a grok pattern from nginx which is working perfectly when the data is coming.

grok {
  match => { "message" => '%{DATA:clientip} %{DATA:VirtualHost} %{DATA:User} \[%{HTTPDATE:timestamp}\] %{DATA:nginx.ssl.protocol}:%{DATA:nginx.ssl.cipher} "(?:%{WORD:request_method} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} rt=(%{NUMBER:nginx.access.request_time:float}|-) uct="(%{NUMBER:nginx.access.upstream.connect_time:float}|-)" uht="(%{NUMBER:nginx.access.upstream.header_time:float}|-)" urt="(%{NUMBER:nginx.access.upstream.response_time:float}|-)" csi="(%{DATA:CookieServiceID})" ua="(%{DATA:nginx.access.upstream.addr})" us="(%{INT:upstreamstatus:int})"' }
}

But some time nginx writes as - for any value then its failing how to handle that, especially below us is coming always "-" and only some time 200. whenever i am getting - its failing and

uct="-" uht="-" urt="-" csi="-" ua="-" us="-"

us="(%{INT:upstreamstatus:int})"'

please help.

Can you post examples of the two types of lines?

Not Working

uct="-" uht="-" urt="-" csi="-" ua="-" us="-"

Working

uct="0.035" uht="0.160" urt="0.160" csi="-" ua="XXXX" us="200"

You are missing the |- inside the parentheses for csi, ua, and us.

You mean from

us="(%{INT:upstreamstatus:int})"'

to

us="(%{INT:upstreamstatus:int|-})"'

I don't think it can be inside the brace. It should be

us="(%{INT:upstreamstatus:int}|-)"

in the same way that you have uct="(%{NUMBER:nginx.access.upstream.connect_time:float}|-)"

1 Like