Hi,
I'm trying to parse the following strings from a file input:
::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >
As soon as I try to parse the double colon sequence to take the IP address I get _grokparsefailure.
The only way I avoid the parse error is:
match => { "auth" => "\s*.*?" }
that is useless.
Do you have any idea of how to mess with those colons?
thanks
daniele
Colons have no special meaning in regular expressions so I don't understand why you would have a problem. This minimal example shows that it works just fine:
$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
grok {
match => {
"message" => "^::%{IP:ip} < auth.*"
}
}
}
$ echo '::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
"message" => "::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >",
"@version" => "1",
"@timestamp" => "2015-11-05T12:08:21.614Z",
"host" => "lnxolofon",
"ip" => "10.10.86.13"
}
Logstash shutdown completedHi Magnus,
thanks for your reply.
Fortunately the issue was a wrong cut&paste in the grok's match line:
match => { "auth" => "\s*.*?" }
I've replaced "auth" with "message" and it worked.
Thanks!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.