Logstash grok pattern for Wowza

Elastic Stack Logstash
1

Can someone please share me the grok pattern for Wowza?. I have tried with below one. The pattern shows Ok on http://grokdebug.herokuapp.com/ site.

But in logstash log , it went to "grokfailure section".

I referred this link to setup: http://blog.stevenmeyer.co.uk/2014/06/organising-wowza-logs-with-logstash-and-grok-custom-syntax.html

Logstash Config:
if [type] == "wowza" {
grok {
match => [ "message", "%{WOWZAACCESSLOG}" ]
add_field => [ "datetime", "%{date} %{time} %{tz}" ]
}
date {
match => [ "datetime", "yyyy-MM-dd HH:mm:ss Z" ]
}
}

Logstash Stdout log :
{
"message" => "2015-07-16\t01:17:33\tUTC\tcreate\tstream\tINFO\t200\t-\t-\t_defaultVHost_\tlive\t_definst_\t0.001\t[any]\t1935\trtmp://10.11.12.122:1935/live/\t10.11.12.13\trtmp\thttps://test.example.com/video.swf\tLNX 15,0,0,189\t414197479\t3559\t3413\t1\t0\t0\t0\t-\t-\t-\t-\t-\t-\trtmp://10.11.12.122:1935/live/\trtmp://10.11.12.122:1935/live/\t-\trtmp://10.11.12.122:1935/live/\t-",
"@version" => "1",
"@timestamp" => "2015-07-15T15:06:59.707Z",
"type" => "wowza",
"file" => "/usr/local/WowzaStreamingEngine/logs/wowzastreamingengine_access.log",
"host" => "test.example.com",
"offset" => "4590",
"tags" => [
[0] "_grokparsefailure"
]
}

here I'm suspecting with \t . But I couldn't confirm and get the problem fixed. Please someone share any idea on this if possible

Thanks

2

Does anyone have idea on this ?

3

If you want help debugging a grok expression you increase your chances by providing a complete and low-friction example that people can use.

That said, narrowing down a huge expression is usually pretty simple. Start with something very simple and build it up from the start of the string, piece by piece. When you start getting the _grokparsefailure tag you've found the problematic part of the expression. In your case, start with something that matches an yyyy-mm-dd date and build from there.

4

There is someother work around solution available to parse the Wowza server logs.But not sure, why the \t [ tab] logs are unable to parse in Logstash.

Alternate way : I just changed the logs delimiter from Tab to Space. Then, My problem got resolved.

Do you have any idea, why it doesn't parse the tab [\t] delimiter .?