Logstash grok parsing not working

Hi,

I use ELK GA 5.0.0 and I read from Kafka topic. I have a log entry like below;

2017-02-22 10:23:53 - - 0.000 304 '425B39368AE7AF1B0D7230B6413ACC6B' GET /qwe/rty/ghj.js http-abc-1234-def-567 192.168.0.1 192.168.0.2 'abcd,abcd,abcd' - - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1736.2 Safari/537.36'

Here is my Logstash configuration. Some fields may have either 'data' or just - so i used the config like this;

grok{
	match => { "message" => "%{NOTSPACE:fielda} %{NOTSPACE:fieldb} ('%{NOTSPACE:fieldc}'|%{NOTSPACE:fieldc}) %{NOTSPACE:fieldd} %{NOTSPACE:fielde} %{NOTSPACE:fieldf} ('%{GREEDYDATA:fieldg}'|%{NOTSPACE:fieldg}) %{NOTSPACE:fieldh} %{NOTSPACE:fieldh} %{NOTSPACE:fieldi} ('%{NOTSPACE:fieldj}'|%{NOTSPACE:fieldj}) %{NOTSPACE:fieldk} ('%{GREEDYDATA:fieldl}'|%{NOTSPACE:fieldl}) ('%{GREEDYDATA:fieldm}'|%{NOTSPACE:fieldm}) ('%{GREEDYDATA:fieldn}'|%{NOTSPACE:fieldn}) ('%{GREEDYDATA:fieldo}'|%{NOTSPACE:fieldo})" }
}

But I am able to see only message in Kibana, the entries are not getting sliced. Why is this happening? How can I fix this?

Start with the simplest possible expression, ^%{NOTSPACE:fielda}. Verify that that works. Then add the next token (^%{NOTSPACE:fielda} %{NOTSPACE:fieldb}). Does that work? Continue until it stops working.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.