Logstash Filter error

rijinmp · January 16, 2018, 7:40am

My Log

198.0.200.105 - - [14/Jan/2014:09:36:50 -0800] "GET /svds.com/rockandroll HTTP/1.1" 301 241 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

Filter is created from https://grokdebug.herokuapp.com/

%{HOSTNAME:vhost} - - [%{HTTPDATE:timestamp}] "%{WORD:Method} %{DATA:request} HTTP/%{BASE10NUM:version}" %{INT:response} %{GREEDYDATA:Details}

My Logstash conf

input{

file {
path => "/home/elastic/elk/samplelog/access.log"
start_position => "beginning"
}
}
filter {

grok { match => { "message" => "%{HOSTNAME:vhost} - - [%{HTTPDATE:timestamp}] "%{WORD:Method} %{DATA:request} HTTP/%{BASE10NUM:version}" %{INT:response} %{GREEDYDATA:Details}" }
}

date {
locale => "en"
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
timezone => "Europe/Rome"
}

}
output {
stdout{ codec => rubydebug }
}

When I am using the whole filter, Logstash showing error

%{HOSTNAME:vhost} - - [%{HTTPDATE:timestamp}] "%{WORD:Method} %{DATA:request} HTTP/%{BASE10NUM:version}" %{INT:response} %{GREEDYDATA:Details}

Output :

Error : Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, -, ", ', } at line 15, column 143 (byte 325) after filter { \n\n \n grok { match => { "message" => "%{HOSTNAME:vhost} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:Method} %{DATA:request} HTTP/%{BASE10NUM:version}" ", :backtrace=>["/home/elastic/elk/logstash/logstash-6.1.1/logstash-core/lib/logstash/compiler.rb:42:

When I am using half of the filter , no error ... Logstash is parsing the log.

filter {

grok { match => { "message" => "%{HOSTNAME:vhost} - - [%{HTTPDATE:timestamp}] "%{WORD:Method}" }
}

Output :
{
"@version" => "1",
"timestamp" => "23/Jan/2014:11:42:58 -0800",
"host" => "localhost.localdomain",
"@timestamp" => 2014-01-23T19:42:58.000Z,
"message" => "198.0.200.105 - - [23/Jan/2014:11:42:58 -0800] "GET /svds.com/rockandroll/img/12.jpg HTTP/1.1" 200 3832 "http://www.svds.com/rockandroll/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"",
"path" => "/home/elastic/elk/samplelog/access.log",
"vhost" => "198.0.200.105",
"Method" => "GET"
}

May be because of " " in filter .

Please healp me to solve this

guyboertje · January 16, 2018, 5:04pm

Use single quotes to define the pattern if the pattern itself contains double quotes.

grok {
  match => {
    "message" => '%{HOSTNAME:vhost} - - [%{HTTPDATE:timestamp}] "%{WORD:Method} %{DATA:request} HTTP/%{BASE10NUM:version}" %{INT:response} %{GREEDYDATA:Details}'
  }
}

rijinmp · January 21, 2018, 12:00pm

Thank you @guyboertje . I will check

system · February 18, 2018, 12:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.