Problem in Elastic Stack: Logging Lab 4

Alice · September 29, 2017, 5:14pm

Hi Elastic Team,

When I implemented Elastic Stack: Logging Lab4, I encounter a problem by following page 7 in the Lab4. I added the following code as stated in the lab:

grok{
match => '%{HTTPDATE:timestamp} %{IP:ip} <%{DATA:msg}>'
}

However, I got the error when run logstash, and the error message is "[0] _grokparsefailure', and I have installed grok as well.!

The following are my logstash config file before and after I change it:

The following are outputs in my terminal before and after I change my configuration file:
333
444

warkolm · September 29, 2017, 8:36pm

Is this related to our online training?

Alice · September 29, 2017, 9:22pm

Yes, it is.

warkolm · September 29, 2017, 10:01pm

Ok, I have moved these to the #elastic-training category, as otherwise the training team won't see this (and the other one)

Also please don't post pictures of text, they are difficult to read and some people may not be even able to see them.

nzamecnik · September 29, 2017, 10:35pm

Hello, Alice.

OK, so what is going is that grok expect your text to match the pattern you've defined for it. In your case your grok filter has 3 patterns it is looking for, HTTPDATE, IP and DATA - in that order. The message you're testing with, "Good morning!" doesn't match that pattern. It's simply text. You would need to input a line that had something that matched an HTTPDATE, and IP address and then some text for the DATA part. For instance, this could work:

01/Sep/2015:06:22:11 -0400 192.168.0.1 This is the data part!

And try it with this config (which is the same as your mainly):
input {
stdin {}
}

filter {
grok {
match => {
"message" => '%{HTTPDATE:date} %{IP:ip} %{DATA:mydata}'
}
}
}

output {
stdout {codec => rubydebug
}
}

Alice · September 30, 2017, 3:41pm

Hi Nathan,

Thank you very much. It is very helpful!

system · October 28, 2017, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.