Help me to solve this Grok error

aaronlbk · May 14, 2023, 6:52pm

Hello,

I created a pipeline in kibana

# Click the Variables button, above, to create your own variable

PUT _ingest/pipeline/exemple-pipeline-apache
{
 "description": "Mon premier pipeline pour appliquer un grok pattern sur le champ message 
des logs apache",
 "processors": [
 {
 "grok": {
 "field": "message",
 "patterns" : [
 "%{IPORHOST:remote_ip} - %{DATA:user_name} 
\\[%{HTTPDATE:access_time}\\] \\\"%{WORD:http_method} %{DATA:url} 
HTTP/%{NUMBER:http_version}\\\" %{NUMBER:response_code} 
%{NUMBER:body_sent_bytes} \\\"%{DATA:referrer}\\\" \\\"%{DATA:agent}\\\""
 ]
 }
 },
 {
 "set": {
 "description": "la version de logstash qui a été utilisée",
 "field": "logstash_version",
 "value": 7.10
 }
 },
 {
 "uppercase": {
 "field": "_index"
 }
 }
 ]
}

I am getting this error:

{
  "error": {
    "root_cause": [
      {
        "type": "parse_exception",
        "reason": "Failed to parse content to map"
      }
    ],
    "type": "parse_exception",
    "reason": "Failed to parse content to map",
    "caused_by": {
      "type": "json_parse_exception",
      "reason": """Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value
 at [Source: (byte[])"{
 "description": "Mon premier pipeline pour appliquer un grok pattern sur le champ message 
des logs apache",
 "processors": [
 {
 "grok": {
 "field": "message",
 "patterns" : [
 "%{IPORHOST:remote_ip} - %{DATA:user_name} 
\\[%{HTTPDATE:access_time}\\] \\\"%{WORD:http_method} %{DATA:url} 
HTTP/%{NUMBER:http_version}\\\" %{NUMBER:response_code} 
%{NUMBER:body_sent_bytes} \\\"%{DATA:referrer}\\\" \\\"%{DATA:agent}\\\""
 ]
 }
 },
 {
 "set": {
 "description": "la version de logstash qui a été uti"[truncated 110 bytes]; line: 2, column: 92]"""
    }
  },
  "status": 400
}

warkolm · May 16, 2023, 3:22am

You have a few carriage returns in your code, it should be;

PUT _ingest/pipeline/exemple-pipeline-apache
{
  "description": "Mon premier pipeline pour appliquer un grok pattern sur le champ message des logs apache",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": [
          "%{IPORHOST:remote_ip} - %{DATA:user_name} \\[%{HTTPDATE:access_time}\\] \\\"%{WORD:http_method} %{DATA:url} HTTP/%{NUMBER:http_version}\\\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \\\"%{DATA:referrer}\\\" \\\"%{DATA:agent}\\\""
        ]
      }
    },
    {
      "set": {
        "description": "la version de logstash qui a été utilisée",
        "field": "logstash_version",
        "value": 7.1
      }
    },
    {
      "uppercase": {
        "field": "_index"
      }
    }
  ]
}

system · June 13, 2023, 3:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Ingest Pipeline Parsing exception Logstash	6	562	July 2, 2018
Grok processor in pipeline throws json_parse_exception Elasticsearch	3	877	April 24, 2018
Elastic ingest pipeline grok filter error Kibana ingest-pipeline	3	332	January 5, 2021
Ingest error from one pipeline causing errors in other pipelines Elasticsearch ingest-pipeline	1	268	August 9, 2023
Help with the grok processor Elasticsearch	5	730	August 9, 2018

Help me to solve this Grok error

Related Topics