Special Characters in logs - how to escape them in logstash grok pattern

(shovik dey) #1


I am trying to analyse a log in logstash,
here is one line from the log.. - - [13/Feb/2015:06:59:59 -0500] "POST /myrequestURI HTTP/1.1" 200 780

the grok expression that i have written is:

%{IPV4:ip} - - [%{MONTHDAY:monthday}/%{MONTH:month}/%{YEAR:year}:%{TIME} %{BASE10NUM:offset}] "%{WORD:method} %{GREEDYDATA:request} %{URIPROTO:protocol}/%{BASE10NUM:version}" %{BASE10NUM:respCode} %{BASE10NUM:respTime}

Here are my queries,

  1. While i give the grok pattern in logstash, logstash throws an exception for the "[" and quotes present in the expression.
    How to escape such special characters in logstash config while specifying the grok expression.

  2. For the given date format in the log, is my grok pattern correct or there is anyother pattern which can take care of this.

(Magnus Bäck) #2

This looks like a standard Apache Common log so you should be able to just use the COMMONAPACHELOG grok pattern and be done with it. But to answer your questions:

  1. Use backslashes for escaping. To avoid having to escape the double quotes you can use the fact that Logstash allows both single and double quotes for strings, so you can make your regular expression single quoted. (
  2. See the definition of the COMMONAPACHELOG pattern.

(shovik dey) #3

thanks magnus, that helped a tonne.

but to my question, I did escaped the [ symbol with \ but there was an error from logstash.

(Magnus Bäck) #4

It would help it you showed us the exact configuration you tried and the error you got.

(system) #5