Hi
I am struggling to dissect/use grok on the below log entry -
127.0.0.1 - - [25/Sep/2019:11:53:28 +0200] "GET /Request HTTP/1.1" 200 93 "-" "Version/7.1.1 (Build: 194445; Windows 10 (10.0); Zt 1.1.3 windows_x86_64) zt/BFED1047F87A8F60232277F3351E5EF14CBBB050841231BC4B60F0B0C1703335"
Using this -
%{IP:client} - - %{DATA:timestamp} "%{WORD:Request_type} %{URIPATHPARAM:request} %{WORD:somethig}/%{NUMBER:id}" %{NUMBER:responsecode} %{NUMBER:number3} "-" "%{DATA:somedata} %{GREEDYDATA:test22} %{GREEDYDATA:test1}
grok {
match => [ "message" , "%{IP:client} - - %{DATA:timestamp} "%{WORD:Request_type} %{URIPATHPARAM:request} %{WORD:somethig}/%{NUMBER:id}" %{NUMBER:responsecode} %{NUMBER:number3} "-" "%{DATA:somedata} %{GREEDYDATA:test22} %{GREEDYDATA:test1}"]
overwrite => [ "message" ]
}
Works fine in the grok debugger but when put in my logstash config file it breaks
line 13, column 62 (byte 290) after filter {\n grok {\n match => [ "message" , "%{IP:client} - - %{DATA:timestamp} "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:ininitialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:24:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:inblock in converge_state'"]}
I have also tried dissect
dissect {
mapping => {
{ "message" => "%{ip2} - - [%{zt2}] "%{message1}" %{random1} %{random2} "-" "%{stuff}); %{somestuff}) %{ts100}/%{unique_id}" }
}
And the pattern isnt found.
Can anyone advise where I am going wrong.