Need to get any help in parsing a complicated logs

MT2021 · August 17, 2021, 11:01am

Hi team,
I am very new in Grok.
I am struggling at this point. I cannot make a parser for below log file.
The issue comes in [17/Aug/2021:16:46:33 +0700]. I cannot pass it.

192.168.40.100 - - [17/Aug/2021:16:46:33 +0700] "GET /favicon.ico HTTP/1.1" 404 493 "http://192.168.40.105/" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Mobile/15E148 Safari/604.1"

I have try to solve it but without success.

%{IP:ipaddress} - - \[%{TIMESTAMP_ISO8601:time} %{NOTSPACE:tz}\]%{GREEDYDATA:rest}

It is very appreciated to any helk or pointing out my bad.
Thanks in advance!

aaron-nimocks · August 17, 2021, 11:13am

Try just %{COMBINEDAPACHELOG:message}.

The reason why yours is not working is due to the timestamp (and maybe others, didn't go through it all). You can see the patterns for things such as TIMESTAMP_ISO8601 here which you can see that pattern does not match your data. Your time matches the HTTPDATE pattern.

But when you do COMBINEDAPACHELOG it should parse it all since it's a common log type.

MT2021 · August 17, 2021, 1:49pm

WOWW! Brilliant!

It works with COMBINEAPACHELOG perfectly.
Thanks for the speedy response!

system · September 14, 2021, 1:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.