Provided Grok patterns do not match data in the input

Yasso · January 2, 2020, 5:02pm

hello guys
i want to parse that log :
55.3.244.1 GET /index.html 10024 0.043 [2012-01-31 07:19:54 ]
when i'm using this patters :
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
i get that result :
{
"duration": "0.043",
"request": "/index.html",
"method": "GET",
"bytes": "10024",
"client": "55.3.244.1"
}
-but my probleme is when i want to get the timestampe of that log by this patterns :
%{TIMESTAMP_ISO8601:timestamp} %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
-it says Provided Grok patterns do not match data in the input
please a need a help ..thanks in advance

E04 · January 2, 2020, 9:44pm

Since your timestamp is at the end of your message you will need to add the timestamp at the end of your GROK statement rather than at the beginning. Also ensuring that you escape the brackets encapsulating your timestamp:

%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} \[%{TIMESTAMP_ISO8601:timestamp}

Badger · January 2, 2020, 9:45pm

You show the timestamp at the end of the record but have added a pattern for it at the beginning. That is not going to work.

Yasso · January 3, 2020, 4:20pm

thank you for replying.
i have put it at the end .. but it still says : Provided Grok patterns do not match data in the input
thanks in advance

Rob_wylde · January 5, 2020, 4:27am

%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} \[%{TIMESTAMP_ISO8601:timestamp} \]

The issue here is the need to escape the square brackets.

system · February 2, 2020, 4:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.