java.lang.IllegalArgumentException: Provided Grok expressions do not match field value

Vincent_Le · January 19, 2019, 12:41am

Hi all,

I am somewhat new to Grok filter and I realize that there are many posts around this topic, but I can't seem to figure out what's wrong. I am actually using an example from one of the Elastic team member showing how to use Filebeat with Ingest Node pipeline and Grok filter to parse.

Here is the sample data (NGINX access.log)

109.184.11.34 - - [12/Dec/2015:18:32:56 +0100] "POST /administrator/index.php HTTP/1.1" 200 4494 "http://almhuette-raith.at/administrator/" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" "-"

Here is the access-log-pipeline.json

{
"description": "Parse NGINX logs",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{IPORHOST:client} -.*- \[HTTPDATE:ts}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%NUMBER:httpversion})?|%{DATA:rawrequest})" %NUMBER:response} (?:%{NUMBER:bytes}|-)"
]
}
}
]
}

Here is the curl command sending the json to the pipeline:

curl -H 'Content-Type: application/json' -XPUT 'http://9.46.64.95:9200/_ingest/pipeline/access-log-pipeline' -d@access-log-pipeline.json

When I started up Filebeat, I got the error below:

2019-01-18T10:55:38.098-0800 DEBUG [elasticsearch] elasticsearch/client.go:526 Bulk item insert failed (i=9, status=500): {"type":"exception","reason":"java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [109.184.11.34 - - [12/Dec/2015:18:32:56 +0100] "POST /administrator/index.php HTTP/1.1" 200 4494 "http://almhuette-raith.at/administrator/" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" "-"]","caused_by":{"type":"illegal_argument_exception","reason":"java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [109.184.11.34 - - [12/Dec/2015:18:32:56 +0100] "POST /administrator/index.php HTTP/1.1" 200 4494 "http://almhuette-raith.at/administrator/" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" "-"]","caused_by":{"type":"illegal_argument_exception","reason":"Provided Grok expressions do not match field value: [109.184.11.34 - - [12/Dec/2015:18:32:56 +0100] "POST /administrator/index.php HTTP/1.1" 200 4494 "http://almhuette-raith.at/administrator/" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0" "-"]"}},"header":{"processor_type":"grok"}}

Thanks in advance,
Vincent

system · February 16, 2019, 12:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.