Log Grok does not work

aroldev · August 31, 2018, 6:29am

Hello elastic community,

I want to parse some log lines and send it to my elasticsearch engine.

My Log looks like this:

2018-08-27T11:56:35:537 | SERVERNAME | 19140 | processname | 27 | 127.0.0.1 | | 0 | Verbose | **** SomeProcessInformation ->GenerateXmlNode(XmlDocument xmldoc, DataRow row) | Leaving. Time needed: 0 ms

I want to grok that lines with

match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\s\W\s{PROG:hostname}\s\W\s%{POSINT:process_id:int}\s\W\s%{PROG:process_name}\s\W\s%{POSINT:thread_id:int}\s\W\s%{IPORHOST:client_ip}\s\W\s{POSINT:ramUsed:int}\s\W\s%{POSINT:event_id:int}\s\W\s%{WORD:log_level}\s\W\sLeaving. Time needed: %{POSINT:time_used:int}"

When I look into my kibana, the grok does not work. I can only read the plain message.

Can sb. tell my what I made wrong here ?

magnusbaeck · August 31, 2018, 5:10pm

Focus on the part just after "127.0.0.1". There appears to be an empty column afterwards that you're trying to parse into ramUsed.

Topic		Replies	Views
Grok doesn't work on Elastic but on dubugger yes Logstash	5	52	November 25, 2025
Few messages go unparsed from Logstash into Elastic without any failure Logstash	4	1164	May 1, 2017
Logstash GROK Logstash	2	72	January 7, 2026
Logstash failed to parse the Log file content [0] "_grokparsefailure" Elasticsearch	2	413	March 19, 2018
ES\|QL Grok parsing Elasticsearch esql	1	61	November 28, 2024

Log Grok does not work

Related topics