mhooper
February 24, 2017, 4:14pm
1
After I added the following grok pattern, my config fails to load.
grok {
match => { "tempMessage" => "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}\?reason ",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number} ",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/ " }
}
looking at examples on web I'm not sure what I've done wrong when adding multiple patterns.
thank you
mhooper
February 26, 2017, 8:04pm
3
in log it says 'Failed to load" "invalid config". I remove this grok and it loads cleanly.
Your filter should look like this:
grok {
match => {
"tempMessage" => [
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}\?reason",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number}",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/"
]
}
}
You could do the same thing with a single expression, by the way:
WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}((/%{INT:number})?/(%{WORD:cancel}\?reason)?)?
mhooper
February 28, 2017, 3:08pm
5
Thank you for both answers.
system
(system)
Closed
March 28, 2017, 3:08pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.