How correctly debug GROK's in logstash

Igor_Gerasimow · May 18, 2017, 2:58pm

Hello.

I'm sure that my issues is very popular:
how i can add fields from grok - for example

2017-05-18 13:52:56 "GET /?method=get_match&match_id=1598784326&region=eune&include_timeline=true HTTP/1.1" 200 1

I wand create separate fields for all records

status 200
timestamp 2017-05-18 13:52:56
method GET
message /?method=get_match&match_id=1598784326&region=eune&include_timeline=true

seems i create proper grok
i checked it on https://grokconstructor.appspot.com/do/match#result

%{TIMESTAMP_ISO8601:timestamp} "%{WORD:action} /%{GREEDYDATA:message}%{WORD:protocol}/%{NUMBER:protocolNum}" %{NUMBER:status} %{NUMBER}```


Could you please show proper filter for my needs.
Thank you in advance.

magnusbaeck · May 23, 2017, 3:49am

And in what way does this not work? Are you getting _grokparsefailure tags in your events? Try reducing your grok expression down to the bare minimum (%{TIMESTAMP_ISO8601:timestamp}) and build it from there.

system · June 20, 2017, 3:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.