Grokparsefailure but passes grok debugger

Hi, have been at this all night with no luck. Any help would be so appreciated!

Jan  5 04:26:13 ip-172-31-58-114 docker/user-repo/test-logs/c2f75d91f17f2d6831faa2283dbd28bc83abc1a1[13945]: 04:26:13 index-0 Tue, 05 Jan 2016 04:26:13 GMT -- ::ffff:172.17.0.28 -- - GET /styles/app.css 304 - https://domain.com/login 23.568 ms
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }
}
"_source": {
    "message": "docker/user-repo/test-logs/c2f75d91f17f2d6831faa2283dbd28bc83abc1a1[13945]: 05:58:59 index-0 Tue, 05 Jan 2016 05:58:59 GMT -- ::ffff:172.17.0.28 -- - GET /styles/app.css 304 - https://domain.com/login 8.759 ms",
    "@version": "1",
    "@timestamp": "2016-01-05T05:59:16.573Z",
    "host": "52.91.107.130",
    "port": 49995,
    "type": "syslog",
    "tags": [
      "_grokparsefailure"
    ]
  },

This is what you claim that your message look like:

 Jan  5 04:26:13 ip-172-31-58-114 docker/user-repo/test-logs/c2f75d91f17f2d6831faa2283dbd28bc83abc1a1[13945]: 04:26:13 index-0 Tue, 05 Jan 2016 04:26:13 GMT -- ::ffff:172.17.0.28 -- - GET /styles/app.css 304 - https://domain.com/login 23.568 ms

But this is what it actually looks like according to Logstash:

docker/user-repo/test-logs/c2f75d91f17f2d6831faa2283dbd28bc83abc1a1[13945]: 05:58:59 index-0 Tue, 05 Jan 2016 05:58:59 GMT -- ::ffff:172.17.0.28 -- - GET /styles/app.css 304 - https://domain.com/login 8.759 ms"
1 Like

That makes sense. I was stuck on trying to parse the whole syslog entry rather than the message property. Thanks so much!