Hello @Badger
Thanks for the info. But what is the alternative? Please suggest
URIPARAM would be one option.
Hello @Badger
Thanks for the suggestion. However, my grok pattern broke by replacing that type. So I restored it. Any other suggestion? Below is the logstash error snippet
[2020-11-17T10:37:37,085][WARN ][logstash.filters.grok ][main][1c077e87742efb841fc737b19f5173c19c342d833aa922af329f987d7b44cab0] Timeout executing grok '(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{DATA:errormessage}, client: %{IP:client}, server: %{DATA:server}, request: \"(?<httprequest>%{WORD:httpcommand} %{UNIXPATH:httpfile} HTTP/(?<httpversion>[0-9.]*))\"(, host: \"(?<host>[^,]*)\")?, referrer: \"%{DATA:referrer}\"' against field 'message' with value 'Value too large to output (288 bytes)! First 255 chars are: 2020/11/17 10:35:03 [error] 32237#32237: *4052154 open() "/etc/nginx/html/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 183.83.212.162, server: 10.227.10.20, request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host'!
@nitin194 try with this pattern UNIXPATH2 (?>/(?>[\w_%!$@:.,-]+|\\.)*)+
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.