Grokfilter Parser error

Deepika_Rawat · July 15, 2020, 7:25am

I have a log file with data like this
indent preformatted text by 4 spaces
172.16.3.254 Jun 22 11:00:40 date=2020-06-22 local7 notice time=11:00:39 devname="MIBLR_FW_1" devid="FG200ETK19907000" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1592803839 srcip=10.212.134.155
i made a conf program to import data to elk
but it is not parsing grok filter
My filter section is : Preformatted textfilter {

grok {
match => { "message" => "%{IP:client}%{TIMESTAMP_ISO8601:date}\s+%{GREEDYDATA:KV}"}
}

kv {
source => "KV"
field_split => " "

}
}
Am i correct..if not kindly help me to correct my program

Deepika_Rawat · July 15, 2020, 7:30am

my error is..
indent preformatted text by 4 spaces
[0] "_grokparsefailure"

Christian_Dahlqvist · July 17, 2020, 6:42am

Your time stamp is not in ISO8601 format which means the grok does not work.

Deepika_Rawat · July 20, 2020, 10:34am

well thank you but Is there another way to match this type of date format in grok..so far i found out MMM dd HH:mm:ss this for parsing but no idea how to write this in program

Badger · July 20, 2020, 5:10pm

I would use dissect to extract the IP and timestamp, then a kv filter to parse the rest of the line. See this example.

system · August 17, 2020, 5:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash _grokparsefailure error Logstash	21	8100	July 19, 2017
Grokparsefailure when I add a date filter Logstash	4	347	September 30, 2019
Issue while parsing date Logstash	5	672	July 7, 2018
GROK filter for my log file JBoss Logstash	4	504	April 24, 2019
_dateparsefailure again Logstash	3	1148	June 27, 2017

Grokfilter Parser error

Related Topics