I'm trying to ingest an HTTP log through file beat into kibana Pipeline and getting the parse error. The Grok Pattern worked well with grok debugger but the same pattern failed when I attempt to ingest through kibana pipeline!
Thanks Bill , removing \ in front of %{HTTPDATE:timestamp} didn't solve completely until i remove it after too. Though the parsing error is no longer an issue, my logs are rejecting with following from my filebeat logs. Can you please advise on how i can make this work this pattern through ingest pipeline.
2018-06-01T00:31:48Z DBG Bulk item insert failed (i=3, status=500): {"type":"exception","reason":"java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1167]","caused_by":{"type":"illegal_argument_exception","reason":"java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1167]","caused_by":{"type":"illegal_argument_exception","reason":"Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1167]"}},"header":{"processor_type":"grok"}}
2018-06-01T00:31:48Z DBG Bulk item insert failed (i=4, status=500): {"type":"exception","reason":"java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1168]","caused_by":{"type":"illegal_argument_exception","reason":"java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1168]","caused_by":{"type":"illegal_argument_exception","reason":"Provided Grok expressions do not match field value: [10.194.38.218 - - [20/Feb/2018:22:07:08 +0000] "GET /favicon.ico HTTP/1.1" 404 1168]"}},"header":{"processor_type":"grok"}}
Why not use one of the predefined grok patterns for HTTP logs? Your log looks pretty standard. Even if the predefined patterns don't work out of the box it should be quite easy to adapt them to fit your particular log.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.