Not able to parse completely with grok

sudhir_singh · November 10, 2023, 1:26pm

  "10/Nov/2023:12:59:05 +0530" 192.54.23.32 GET "GET /healthcheck HTTP/1.1" 178 200 453 2  "nginx/1.23.4 (health check server_192.87.23.870_Pool-1_http_ok)" 127.0.0.1:3000 200 0.001 0.002 0.000 0.002  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:05 +0530" 192.54.23.32 GET "GET /healthcheck HTTP/1.1" 200 200 453 2  "nginx/1.23.4 (health check server_192.87.23.870_Pool-1_https_ok)" 127.0.0.1:3000 200 0.001 0.001 0.000 0.001  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:05 +0530" 192.45.108.26 GET "GET /healthcheck HTTP/1.1" 179 200 453 2  "nginx/1.23.4 (health check server_192.45.108.199_Pool-1_http_ok)" 127.0.0.1:3000 200 0.002 0.001 0.000 0.001  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:05 +0530" 192.45.108.26 GET "GET /healthcheck HTTP/1.1" 201 200 453 2  "nginx/1.23.4 (health check server_192.45.108.199_Pool-1_https_ok)" 127.0.0.1:3000 200 0.001 0.001 0.000 0.001  apimumbcms.hydtimes.com
192.87.205.186 "10/Nov/2023:12:59:05 +0530" 192.87.23.107 GET "GET /socket.io/?EIO=4&transport=polling&t=Oku8ckz HTTP/1.1" 721 200 627 122 https://delhi.indiatimes.com/ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 127.0.0.1:3000 200 0.002 0.001 0.000 0.001  mumbcms.hydtimes.com
192.87.205.186 "10/Nov/2023:12:59:05 +0530" 192.87.23.107 GET "GET /socket.io/?EIO=4&transport=polling&t=Oku8col HTTP/1.1" 721 200 630 187 https://delhi.indiatimes.com/ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 127.0.0.1:3000 200 0.002 0.001 0.000 0.001  mumbcms.hydtimes.com
192.87.80.63 "10/Nov/2023:12:59:06 +0530" 192.87.23.121 POST "POST /api/cache/purge HTTP/1.1" 860 200 511 51  "Apache-HttpClient/4.5.2 (Java/1.8.0-262)" 127.0.0.1:3000 200 5.305 5.305 0.000 5.305  apimumbcms.hydtimes.com {\"msid\":\"105116742\",\"keywords\":\"Dhanteras 2023%2CDhanteras 2023 Wishes%2CDhanteras 2023 Quotes%2CDhanteras 2023 Messages%2CDhanteras Images%2Cdhanteras festival%2CDhanteras Puja Upay%2CDhanteras Worship Method%2C\",\"hostId\":\"155\",\"mstype\":\"8\",\"title\":\"धनत्रयोदशीच्या दिवशी या शुभ वस्तू खरेदी करा आणि घरात सौभाग्य आणा\",\"type\":\"PHOTOGALLERYSLIDESHOWSECTION\",\"hisactive\":\"0\",\"operation\""mssubtype\":\"1\",\"parentId\":\"87872838\"}
192.87.82.84 "10/Nov/2023:12:59:08 +0530" 192.87.23.115 POST "POST /api/cache/purge HTTP/1.1" 545 200 511 51  "Apache-HttpClient/4.5.2 (Java/1.8.0-262)" 127.0.0.1:3000 200 0.055 0.055 0.000 0.055  apimumbcms.hydtimes.com {\"msid\":\"105117134\",\"keywords\":\"null\",\"hostId\":\"53\",\"mstype\":\"3\",\"title\":\"dhanteras 2023 shopping2\",\"type\":\"dhanteras 2023 shopping2\",\"hisactive\":\"2\",\"operation\":\"add\",\"mssubtype\":\"0\",\"parentId\":\"105117040\"}
192.87.80.64 "10/Nov/2023:12:59:08 +0530" 192.87.23.116 POST "POST /api/cache/purge HTTP/1.1" 545 200 511 51  "Apache-HttpClient/4.5.2 (Java/1.8.0-262)" 127.0.0.1:3000 200 0.068 0.068 0.001 0.068  apimumbcms.hydtimes.com {\"msid\":\"105117109\",\"keywords\":\"null\",\"hostId\":\"53\",\"mstype\":\"3\",\"title\":\"dhanteras 2023 shopping4\",\"type\":\"dhanteras 2023 shopping4\",\"hisactive\":\"2\",\"operation\":\"add\",\"mssubtype\":\"0\",\"parentId\":\"105117040\"}
 "10/Nov/2023:12:59:10 +0530" 192.54.23.32 GET "GET /healthcheck HTTP/1.1" 178 200 453 2  "nginx/1.23.4 (health check server_192.87.23.870_Pool-1_http_ok)" 127.0.0.1:3000 200 0.002 0.002 0.000 0.002  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:10 +0530" 192.54.23.32 GET "GET /healthcheck HTTP/1.1" 200 200 453 2  "nginx/1.23.4 (health check server_192.87.23.870_Pool-1_https_ok)" 127.0.0.1:3000 200 0.007 0.007 0.000 0.007  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:10 +0530" 192.45.108.26 GET "GET /healthcheck HTTP/1.1" 179 200 453 2  "nginx/1.23.4 (health check server_192.45.108.199_Pool-1_http_ok)" 127.0.0.1:3000 200 0.007 0.008 0.000 0.008  apimumbcms.hydtimes.com
 "10/Nov/2023:12:59:10 +0530" 192.45.108.26 GET "GET /healthcheck HTTP/1.1" 201 200 453 2  "nginx/1.23.4 (health check server_192.45.108.199_Pool-1_https_ok)" 127.0.0.1:3000 200 0.002 0.001 0.000 0.001  apimumbcms.hydtimes.com
192.87.205.186 "10/Nov/2023:12:59:11 +0530" 192.87.23.115 GET "GET /socket.io/?EIO=4&transport=polling&t=Oku8eCj HTTP/1.1" 721 200 627 122 https://delhi.indiatimes.com/ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 127.0.0.1:3000 200 0.003 0.004 0.000 0.004  mumbcms.hydtimes.com
192.87.80.63 "10/Nov/2023:12:59:13 +0530" 192.87.23.114 POST "POST /api/cache/purge HTTP/1.1" 508 200 511 51  "Apache-HttpClient/4.5.2 (Java/1.8.0-262)" 127.0.0.1:3000 200 4.971 4.971 0.000 4.971  apimumbcms.hydtimes.com {\"msid\":\"97367011\",\"keywords\":\"null\",\"hostId\":\"377\",\"mstype\":\"37\",\"title\":\"Home Page News PL\",\"type\":\"null\",\"hisactive\":\"0\",\"operation\":\"PLUPDATED\",\"mssubtype\":\"1\",\"parentId\":\"97088784\"}

sudhir_singh · November 10, 2023, 1:28pm

%{NOTSPACE:remoteip}(, %{IP})* "%{HTTPDATE:timestamp}" %{IP:lbip} %{WORD:request_method} "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:request_length} %{NUMBER:status} %{NUMBER:bytes_sent} (?:%{NUMBER:body_bytes_sent}|-) %{DATA:http_referer} %{QS:http_user_agent} %{DATA:upstream_addr} %{DATA:upstream_status} %{DATA:request_time} %{DATA:upstream_response_time} %{DATA:upstream_connect_time} %{DATA:upstream_header_time} %{DATA:upstream_cache_status} %{NOTSPACE:server_name}%{GREEDYDATA:payload}

This is my grok pattern but it is not able to parse the logs which starts with double quotes. Double quotes starting lines get ignored completely.

Rios · November 18, 2023, 10:56pm

If is not too late.

 grok {
	  match => { "message" => "(?:%{IPORHOST:sourceip})? \"%{HTTPDATE:time}\" %{IPORHOST:destip} %{WORD:verb} \"%{WORD:method} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:total} %{NUMBER:response_code} %{NUMBER:response} %{NUMBER:recive} (?:%{DATA:referrer})? \"%{DATA:user_agent}\" %{IPORHOST:[source][address]}(?::%{POSINT:[source][port]:int}) %{NUMBER:httpcode} %{NUMBER:code1} %{NUMBER:code2} %{NUMBER:code3} %{NUMBER:code4}\s+%{IPORHOST:host}" }
    }

Please review field names, they should be in /etc/nginx/nginx.conf

system · December 16, 2023, 10:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.