Hi,
I searched but could not solution. Why don't know error get [Grokparsefailure, Geoip lookup failure] I don't understansd where the error is. I think grok pattern because used online grok tester so correct data.I installed geo ip plugin but not parse;
Kind regards
Exm Data
95.101.1.86 "18/Apr/2019:13:21:55 +0300" "GET /aaa.ts HTTP/1.1" 200 902776 95.5.11.75 "95.5.11.75, 195.175.115.29" MISS "-" 0.169 "0.000" "0.012" "0.030"
Logstash Conf;
input {
file {
path => ["C:/Elasticsearch/logstash-6.6.1/akamai/access.log"]
start_position => "beginning"
sincedb_path => "nul"
type => "router"
}
}
filter {
if [type] == "router"{
grok {
match => {
"message" => "%{IP:remoteAddr}%{SPACE}\"%{HTTPDATE:time_local}\"%{SPACE}\"(?:%{WORD:http_method}%{SPACE}%{NOTSPACE:request}(?:%{SPACE}HTTP/%{NUMBER:httpversion})?|-)\"%{SPACE}%{NUMBER:status:int}%{SPACE}%{NUMBER:body_bytes:int}%{SPACE}%{DATA:client_addr}%{SPACE}\"%{DATA:http_x_fowarded_for}\"%{SPACE}%{WORD:upstream_cache_status}%{SPACE}\"(%{DATA:upstream_cache_control})\"%{SPACE}%{NUMBER:request_time:float}%{SPACE}\"%{NUMBER:upstream_connect_time:float}\"%{SPACE}\"%{NUMBER:upstream_header_time:float}\"%{SPACE}\"%{DATA:upstream_response_time}"
}
remove_field => ["message"]
}
date {
match => [ "time_local", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "time_local"
}
mutate {
add_field => {
"[es_index]" => "router"
}
}
geoip {
source => "remoteAddr"
target => "geoip"
}
}
}
output {
file {
path => "C:/Elasticsearch/logstash-6.6.1/output.log"
}
}
Result tags;
"tags":["_grokparsefailure","_geoip_lookup_failure"],