_grokparsefailure

legolas_bilbao · May 19, 2021, 9:11pm

Good night,

I've use the dev tools for deploy the grook rule for squid logs

The config file is the following

input {
file {
path => "/var/elastik/access.log"
start_position => "beginning"
}

}
filter {
grok {

            match => [ "message","%{NUMBER:timestamp}%{SPACE}%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s%{NOTSPACE:user}\s%{WORD:hierarchy_code}/%{NOTSPACE:server}\s%{NOTSPACE:content_type}" ]
            }
    date {
            match => [ "timestamp", "UNIX" ]
            remove_field => [ "timestamp" ]
         }

    }

output {
elasticsearch {
"hosts" => "localhost:9200"
"index" => "squid"
}
stdout { codec => json_lines }
}

The input in the grok dev tool

1616454089.572 259 172.25.157.81 TCP_TUNNEL/200 5630 CONNECT api-eu1.xbc.trendmicro.com:443 - HIER_DIRECT/18.156.104.89 -

And the result is the following
{
"server": "18.156.104.89",
"status_code": "200",
"hierarchy_code": "HIER_DIRECT",
"request_method": "CONNECT",
"url": "api-eu1.xbc.trendmicro.com:443",
"duration": "259",
"content_type": "-",
"bytes": "5630",
"cache_result": "TCP_TUNNEL",
"client_address": "172.25.157.81",
"user": "-",
"timestamp": "1616454089.572"
}

in the deploy into the kibana appears the following error, any idea?

tags _grokparsefailure and the fiels defined in the index are incorrect

system · June 16, 2021, 9:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter for url in squid log Logstash	4	2249	July 6, 2017
[Solved] Grok match failure for Squid log Logstash	1	894	July 6, 2017
Trouble configuring Logstash to Squid Logs Elasticsearch	2	721	July 6, 2017
Grokparsefailure in logstash Elasticsearch	3	427	June 25, 2018
_grokparsefailure in Kibana although Grok tester returns "matched" Logstash	6	335	August 10, 2018

_grokparsefailure

Related topics