Logstash issue grok

alexmac · May 25, 2015, 11:47am

Hi,
Im having an issue with logsasher, after sending couple of events it stop sending logs to elastic. basically Im inputing AWS ELB logs, extracting the url_path on first match and continue extracting additional data from the "url_path"
I`ve set costume patterns:

DEVICEBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/devices/%{WORD:request_type:String}[?]device_id=%{WORD:device_id}&key=%{WORD:key}
KEYBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/devices/%{WORD:request_type:String}[?]key=%{WORD:key}&device_id=%{WORD:device_id}
APIBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/api_wrappers/connection/domain[?]key=%{WORD:key}&domain_api_secret=%{WORD:api_secret}&user_id=%{BASE10NUM:user_id}
SPIDRBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/users/%{WORD:request_type:String}/communications/spidr[?]key=%{WORD:key}
USERBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/users/devices[?]key=%{WORD:key}
DATEBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/users/%{WORD:request_type:String}/data_channel[?]key=%{WORD:key}
GSSBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/gss/wrapper/user[?]key=%{WORD:key}
CREDBREAK [^/]+[^/]+/(?<api_version>[^/]+)+/devices/%{WORD:request_type:String}/push[?]key=%{WORD:key}&device_id=%{WORD:device_id}

My config file:
input {
file {
path => "/var/log/s3/elb-us-logs/*.log"
type => "elb"
start_position => "beginning"
sincedb_path => "log_sincedb"
}
}
filter {
if [type] == "elb" {
grok {
break_on_match => false
patterns_dir => "./patterns"
match => [ "message" , [
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string} %{URI:url_path} HTTP%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IPORHOST:clientIp}:%{NUMBER:backend_port:int} - -1 -1 -1 %{NUMBER:elb_status_code:int}"
]
]
patterns_dir => "./patterns"
match => [ "url_path", [
"%{DEVICEBREAK}",
"%{KEYBREAK}",
"%{APIBREAK}",
"%{SPIDRBREAK}",
"%{USERBREAK}",
"%{DATEBREAK}",
"%{GSSBREAK}",
"%{CREDBREAK}"
]
]
}
}
The log file looks like this:
"2015-05-25T09:45:51.110114Z extelb-name-API 100.0.54.51:56841 172.18.3.80:80 0.000049 0.023448 0.000022 200 200 0 57 "GET https://api.somedomain.io:443/v1.1/devices/messages?device_id=7A7509DE74DF4654B0919878D7C84B3D&key=UAT4fa560d246c8476ba27a3dda3a64d630 HTTP/1.1"",

Any help will be appreciated, thanks.

magnusbaeck · May 25, 2015, 11:52am

Why do you think this has anything to do with grok?

Is there anything interesting in the Logstash logs if you turn up the logging with --verbose or even --debug?

alexmac · May 25, 2015, 11:58am

running logstash -f etc/conf.d/server.conf -vvv
find's a match and send the log, but after one hit it stops streaming anything.
removing match => ["url_path"] make it works without a problem.

magnusbaeck · May 25, 2015, 12:22pm

And new data is actually being appended to at least one of the files in /var/log/s3/elb-us-logs/*.log?

alexmac · May 25, 2015, 12:30pm

Yes, there is a cron job that syncs new files every 5 mins.

pierhugues · May 25, 2015, 2:47pm

@alexmac Thx for this report, Would you mind sharing a thread dump using jstack when logstash stop processing events?

See http://docs.oracle.com/javase/7/docs/technotes/tools/share/jstack.html for documentation.

pierhugues · May 25, 2015, 2:49pm

Also, @alexmac did you upgrade from 1.4.2 to 1.5.0?

alexmac · May 25, 2015, 3:20pm

Hey,
I've tried using the same config for version 1.5 same thing.
Im currently using version 1.4.2. I did another test instead of using pattern file, Im currenty only using one grok match:
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/devices/%{WORD:request_type:String}[?]device_id=%{UUID:device_id}[&]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}""

The message that I receive:
extelb-Kandy-API 97.65.224.2:16333 172.18.3.23:80 0.000036 0.003172 0.00002 200 200 0 90 "GET https://api.somedomain.io:443/v1.2/devices/messages?device_id=5A07CC7BA86E416D88AB407DBEDDF9C8&key=UATf7d4f3d5fdc7481da1a5bfb52364f812 HTTP/1.1"

I've tested the grok with grokdebugger and it seems to break everything correctly.
but when I start it it fails to process the log and tags it with _grokparsefailure

PeterF · May 26, 2015, 1:59pm

Hello,

I'm having a similar issue with LS processing for a few seconds and then stopping. Here's my conf:

input{
tcp {
port => 20514
type => "syslog"
}
}

filter {
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:@timestamp} %{SYSLOGHOST:hostname} (?<json_msg>{.})" ]
#match => [ "message", "{"Time":"%{SYSLOGTIMESTAMP:timestamp}","Type":"%{DATA:Type}","Hostname":"%{DATA:Hostname}","SourceModuleName":"%{DATA:SourceModuleName}","Logger":"%{DATA:Logger}","Severity":"%{DATA:Severity}","Message":" %{DATA}=%{TIME:time} %{DATA}=%{DATA:devname} %{DATA}=%{DATA:device_id} %{DATA}=%{DATA:log_id} %{DATA}=%{DATA:type} %{DATA}=%{DATA:subtype} %{DATA}=%{DATA:pri} %{DATA}=%{DATA:vd} %{DATA}=%{DATA:SN} %{DATA}=%{DATA:duration} %{DATA}=%{DATA:user} %{DATA}=%{DATA:group} %{DATA}=%{DATA:rule} %{DATA}=%{DATA:policyid} %{DATA}=%{DATA:proto} %{DATA}=%{DATA:service} %{DATA}=%{DATA:app_type} %{DATA}=%{DATA:status} %{DATA}=%{DATA:src} %{DATA}=%{DATA:srcname} %{DATA}=%{DATA:dst} %{DATA}=%{DATA:dstname} %{DATA}=%{DATA:src_int} %{DATA}=%{DATA:dst_int} %{DATA}=%{DATA:sent} %{DATA}=%{DATA:rcvd} %{DATA}=%{DATA:sent_pkt} %{DATA}=%{DATA:rcvd_pkt} %{DATA}=%{DATA:src_port} %{DATA}=%{DATA:dst_port} %{DATA}=%{DATA:vpn} %{DATA}=%{DATA:tran_ip} %{DATA}=%{DATA:tran_port} %{DATA}=%{DATA:dir_disp} %{DATA}=%{DATA:tran_disp} "}" ]
match => [ "message", "(?<json_msg>{.})" ]
match => [ "message", "%{SYSLOGTIMESTAMP:@timestamp} %{SYSLOGHOST:hostname} %{GREEDYDATA:Message}" ]
}
json {
source => "json_msg"
remove_field => ["json_msg"]
#remove_field => ["message"]
}
mutate {
gsub => [
"Severity", "ERR$", "ERROR",
"Severity", "EMERG", "ERROR",
"Severity", "ALERT", "ERROR",
"Severity", "WARN$", "WARNING",
"Severity", "NOTICE", "WARNING"
]
}
}

output{
elasticsearch{
host => localhost
protocol => http
}
}

NOTE: The second grok match (currently commented out). This configuration runs no problem, however, if I uncomment the 2nd grok match, Logstash runs for about 15 seconds and then goes away to la la land. It continues to run taking 100% CPU, but fails to respond to stop, start or restart commands; it does not send any data to ES nor does it seem to accept any data from our relays. In fact the only thing it responds to is kill -9.

Any help?

Input and grok tested with grok debugger

CentOS Linux release 7.0.1406 (Core)
Java 1.8
Logstash 1.5 (I tried on 1.4 and same issue).

PeterF · May 26, 2015, 2:02pm

Sorry, forgot to add:

nothing in logstash.log,err or stdout

If you run LS with --verbose, it shows the messages being processed and then it just stops... (i.e. the output as it processes logs simply comes to a halt, no more data is displayed).

alexmac · May 27, 2015, 1:24pm

Ok, I've found a workaround for this issue.
I've parsed really big and ugly regex, for now it seems good enough.
grok {
break_on_match => false
patterns_dir => "./patterns"
match => [ "message" , [
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]device_id=%{WORD:device_id}[&]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}[&]client_timestamp=%{NUMBER:client_timestamp}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/devices/%{WORD:request_type:String}/hints[?]key=%{WORD:key}[&]device_id=%{UUID:device_id}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/last_seen[?]users=%{GREEDYDATA}[&]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}[&]messages=%{GREEDYDATA:messages}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]user_id=%{UUID:user_id}[&]user_password=%{WORD:password}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]%{WORD}=%{GREEDYDATA}[&]device_id=%{WORD:device_id}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}[&]client_timestamp=%{NUMBER:client_timestamp}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/%{WORD}[?]key=%{GREEDYDATA:key} HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/%{WORD}/%{WORD}/%{WORD}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]%{WORD}=%{NUMBER:client_sw_version:Int}[&]%{WORD}=%{WORD:client_sw_type}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/%{WORD}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/personal[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/device[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/devices[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/communications/spidr[?]key=%{WORD:key}[&]secure=true%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/wrapper/%{WORD:request_type:String}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/%{WORD}/id[?]session_id=%{WORD:session_id}[&]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/%{WORD}[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/details/limited[?]key=%{WORD:key}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/push[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/api_wrappers/%{WORD:request_type:String}/domain[?]key=%{WORD:key}[&]domain_api_secret=%{WORD:api_secret}[&]user_id=%{WORD:user_id:Int}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]domain_api_secret=%{WORD:domain_api_secret}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "(%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/api_wrappers/%{WORD:request_type:String}/domain[?]key=%{WORD:key}[&]domain_api_secret=%{UUID:api_secret}[&]user_id=%{UUID:user_id})%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}[?]key=%{WORD:key}[&]MCC=%{NUMBER}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/api_wrappers/%{WORD:request_type:String}[?]key=%{WORD:key}[&]user_id=%{NUMBER:user_id}[&]user_password=%{WORD:user_password}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_type:String}/%{WORD}[?]key=%{GREEDYDATA:key} HTTP+%{URIPATHPARAM}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/push[?]key=%{WORD:key}[&]device_id=%{WORD:device_id}[&]client_sw_version=%{NUMBER:client_sw_version}[&]client_sw_type=%{WORD:client_type}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}"",
"%{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "%{WORD:method:string}%{SPACE}%{URIPROTO}://%{URIHOST:domain}/^/+/%{WORD:request_handler:String}/%{WORD:request_type:String}/user[?]%{WORD}=%{NUMBER:client_sw_version}[&]%{WORD}=%{WORD:client_sw_type}[&]%{WORD}=%{GREEDYDATA:device_version}[&]device_family=%{WORD:device_family}&%{WORD}=%{GREEDYDATA:device_name}[&]device_native_id=%{NUMBER:device_native_id}[&]kandy_device_id=%{WORD:device_id}[&]key=%{WORD:key}[&]full_user_id=%{GREEDYDATA:full_user_id}[&]user_password=%{WORD:user_password}%{SPACE}HTTP+%{URIPATHPARAM:httpversion}""
]
]
}

PeterF · May 29, 2015, 7:21am

Alex,

Other than transforming your match pattern, did you do anything else to logstash to prevent it from becoming unresponsive?

cheers

Peter

Topic		Replies	Views
Grok <something> or <nothing> Logstash	1	757	July 6, 2017
Logstash, nested json and AWS ELB logs Logstash	3	1100	July 6, 2017
Having problems parsing data Logstash	4	306	February 18, 2021
S3 Input Plugin Not Fully Processing ELB Access Logs Logstash	2	1676	September 26, 2017
Logstash with cloudfront Logstash	5	727	October 3, 2019

Logstash issue grok

Related topics