Logstash grok filter not working

vinodhini · January 6, 2021, 4:10am

I am trying to get my grok filter working.

"[20/Oct/2020:16:37:57.750 -0500] BIND RESULT instanceName="abc.com" threadID=9 conn=2312717 op=0 msgID=1 request
erIP="123.12.12.1" version="3" dn="uid=xyz,ou=appids,ou=admin,dc=abc,dc=com" authType="SIMPLE" resultCode=0 resultCodeName="Success" qtime=0 etime=0.373 authDN="uid=xyz
,ou=people,ou=admin,dc=abc,dc=com" clientConnectionPolicy="default""

My filter logic is below, it does not work.

["[%{DATA:timestamp}] %{DATA} %{DATA}=%{QUOTEDSTRING:instancename} %{DATA} %{DATA} %{DATA} %{DATA} %{DATA}=%{QUOTEDSTRING:requesterIP} %{DATA} %{DATA}=%{DATA:dn} %{
DATA} %{DATA}=%{QUOTEDSTRING:statusCode} %{GREEDYDATA:audit_record}"]

I cannot figure out what am I missing.

Thanks in advance.

Badger · January 6, 2021, 4:39pm

Please edit your post, select the log entry and click on </> in the toolbar above the edit pane. Then do the same for the grok pattern.

You may be missing escapes for the square brackets, but there is no way to tell unless you use the appropriate markdown.

Cad · January 12, 2021, 12:37pm

hi vinodhini,

The error is "[" and "]". In grok this caracthere is for create macro for example :
[a-z]+ recognize all strings made up of at least one lowercase letter.
So with this [%{DATA:timestamp}] you are searching the string %{DATA:timestamp}.
You have to put \ before [ and ].

So the result is :
\[%{DATA:timestamp}\] %{DATA} %{DATA}=%{QUOTEDSTRING:instancename} %{DATA} %{DATA} %{DATA} %{DATA} %{DATA}=%{QUOTEDSTRING:requesterIP} %{DATA} %{DATA}=%{DATA:dn} %{DATA} %{DATA}=%{QUOTEDSTRING:statusCode} %{GREEDYDATA:audit_record}

It currently working with your log but i think it is better to use %{SPACE} instead of " " because this create a grok filter more generic so if one day you decided to replace basic space by tabulation, with the %{SPACE} configuration, it still working.

For debugging :

Cad.

lokeshbabloo · January 12, 2021, 1:12pm

Hi @Cad

The Kibana has an inbuilt Grok debugger in the Dev tools which we can use for debugging the grok pattern for our sample data instead of " grokdebug.herokuapp.com "

Thanks and Regards,
Lokesh

system · February 9, 2021, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.