Special Characters in logs - how to escape them in logstash grok pattern

shovik · August 7, 2015, 6:22am

Hi,

I am trying to analyse a log in logstash,
here is one line from the log..

11.111.111.111 - - [13/Feb/2015:06:59:59 -0500] "POST /myrequestURI HTTP/1.1" 200 780

the grok expression that i have written is:

%{IPV4:ip} - - [%{MONTHDAY:monthday}/%{MONTH:month}/%{YEAR:year}:%{TIME} %{BASE10NUM:offset}] "%{WORD:method} %{GREEDYDATA:request} %{URIPROTO:protocol}/%{BASE10NUM:version}" %{BASE10NUM:respCode} %{BASE10NUM:respTime}

Here are my queries,

While i give the grok pattern in logstash, logstash throws an exception for the "[" and quotes present in the expression.
How to escape such special characters in logstash config while specifying the grok expression.
For the given date format in the log, is my grok pattern correct or there is anyother pattern which can take care of this.

magnusbaeck · August 7, 2015, 6:39am

This looks like a standard Apache Common log so you should be able to just use the COMMONAPACHELOG grok pattern and be done with it. But to answer your questions:

Use backslashes for escaping. To avoid having to escape the double quotes you can use the fact that Logstash allows both single and double quotes for strings, so you can make your regular expression single quoted. (
See the definition of the COMMONAPACHELOG pattern.

shovik · August 7, 2015, 6:56am

thanks magnus, that helped a tonne.

but to my question, I did escaped the [ symbol with \ but there was an error from logstash.

magnusbaeck · August 7, 2015, 7:07am

It would help it you showed us the exact configuration you tried and the error you got.