Standard IIS grok templates can't parse

Hi! Can't find a reason... ANy idea?
I have errors Provided Grok expressions do not match field value. But it pass if I copy template and data to grokconstructor.appspot.com
Standard module IIS template in use (7.13.3)
IIS log and peace of data:
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2021-07-29 10:05:25 10.0.1.111 GET /api/v5/cryptoprofiles - 80 - 10.0.1.129 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 https://platform.xxxxx.xxx/ 200 0 0 80

Could you please format your post, so we can see what is the exact content here you're trying to parse?

Sorry..
Log data:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2021-07-29 10:05:25 10.0.1.111 GET /api/v5/cryptoprofiles - 80 - 10.0.1.129 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 https://platform.xxxxx.xxx/ 200 0 0 80

It's pass in ELK Grok Debugger with copied from filebeat-7.13.3-iis-access-pipeline pattern:

%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:url.path}) (?:-|%{NOTSPACE:url.query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:temp.duration:long})

Can u post the errors you're getting?

as example. error.message:

Provided Grok expressions do not match field value: [2021-08-02 13:01:04 10.0.1.110 GET /api/news/neighbours/00200 - 80 - 10.0.1.129 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/14.1.1+Safari/605.1.15 https://xxxx.xxx/ 200 0 0 38]```

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.