Multi pattern grok failing to load

mhooper · February 24, 2017, 4:14pm

After I added the following grok pattern, my config fails to load.

grok {
match => { "tempMessage" => "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}\?reason",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number}",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/" }
}

looking at examples on web I'm not sure what I've done wrong when adding multiple patterns.

thank you

warkolm · February 26, 2017, 8:41am

Fail how?

mhooper · February 26, 2017, 8:04pm

in log it says 'Failed to load" "invalid config". I remove this grok and it loads cleanly.

magnusbaeck · February 28, 2017, 2:15pm

Your filter should look like this:

grok {
  match => {
    "tempMessage" => [
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}\?reason",
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number}",
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/" 
    ]
  }
}

You could do the same thing with a single expression, by the way:

WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}((/%{INT:number})?/(%{WORD:cancel}\?reason)?)?

mhooper · February 28, 2017, 3:08pm

Thank you for both answers.

system · March 28, 2017, 3:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.