How to check the tags values in logstash

Sripal · January 2, 2019, 11:10am

@magnusbeack

Could you please help me to fix this issue.

wolfman · January 2, 2019, 12:21pm

noting the escape \
I don't understand why there are fewer escape characters.I obviously added the escape character \.

stdin { }
}

filter{
if[message] =~ /^\[.*/ {
grok {
match => ["message" ,'%{SYSLOG5424SD:cliip}, %{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}else{
grok {
match => ["message", '%{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}

}

output{
stdout {}
}

Sripal · January 3, 2019, 3:58am

Is this conf is working for you?

wolfman · January 3, 2019, 4:32am

yes,noting the escape character \

Sripal · January 3, 2019, 6:14am

Thanks @wolfman .

Somehow i managed the issue in my way, i am getting grokparsefailure error but logs are structured properly.
out of 35000 log line 32000 logs are structured

Thanks for the help

Topic		Replies	Views
Grokparsefailure ... but it's all working and logs are being parsed...? Logstash	8	2073	May 29, 2022
Logstash tags entries as_grokparsefailures but multiple online debuggers says otherwise Logstash	12	502	October 21, 2021
Logstash unable to identify tags from filebeat ( grokparsefailure) Logstash	6	2821	September 5, 2017
Logstash parsing not consistant Logstash	6	1315	July 6, 2017
_grokparsefailure but it works fine in dubugger Logstash	20	1114	April 20, 2018

How to check the tags values in logstash

Related topics