Log Grok does not work

aroldev · August 31, 2018, 6:29am

Hello elastic community,

I want to parse some log lines and send it to my elasticsearch engine.

My Log looks like this:

2018-08-27T11:56:35:537 | SERVERNAME | 19140 | processname | 27 | 127.0.0.1 | | 0 | Verbose | **** SomeProcessInformation ->GenerateXmlNode(XmlDocument xmldoc, DataRow row) | Leaving. Time needed: 0 ms

I want to grok that lines with

match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\s\W\s{PROG:hostname}\s\W\s%{POSINT:process_id:int}\s\W\s%{PROG:process_name}\s\W\s%{POSINT:thread_id:int}\s\W\s%{IPORHOST:client_ip}\s\W\s{POSINT:ramUsed:int}\s\W\s%{POSINT:event_id:int}\s\W\s%{WORD:log_level}\s\W\sLeaving. Time needed: %{POSINT:time_used:int}"

When I look into my kibana, the grok does not work. I can only read the plain message.

Can sb. tell my what I made wrong here ?

magnusbaeck · August 31, 2018, 5:10pm

Focus on the part just after "127.0.0.1". There appears to be an empty column afterwards that you're trying to parse into ramUsed.

system · September 28, 2018, 5:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok parse error in Kibana Logstash	2	443	April 3, 2020
Grok parsing log failed! Logstash	1	1194	July 6, 2017
Logstash don't send to Elastcisearch when i use %{WORD:service} in grok Logstash	2	264	May 15, 2019
_grokparsefailure but it work on grok debugger Logstash	19	628	July 30, 2018
Grok not parsing any pattern Logstash	1	274	February 26, 2021

Log Grok does not work

Related topics