The error is "[" and "]". In grok this caracthere is for create macro for example : [a-z]+ recognize all strings made up of at least one lowercase letter.
So with this [%{DATA:timestamp}] you are searching the string %{DATA:timestamp}.
You have to put \ before [ and ].
So the result is : \[%{DATA:timestamp}\] %{DATA} %{DATA}=%{QUOTEDSTRING:instancename} %{DATA} %{DATA} %{DATA} %{DATA} %{DATA}=%{QUOTEDSTRING:requesterIP} %{DATA} %{DATA}=%{DATA:dn} %{DATA} %{DATA}=%{QUOTEDSTRING:statusCode} %{GREEDYDATA:audit_record}
It currently working with your log but i think it is better to use %{SPACE} instead of " " because this create a grok filter more generic so if one day you decided to replace basic space by tabulation, with the %{SPACE} configuration, it still working.
The Kibana has an inbuilt Grok debugger in the Dev tools which we can use for debugging the grok pattern for our sample data instead of " grokdebug.herokuapp.com "
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.