Trying to parse double colons with grok fails


(Daniele Di Minica) #1

Hi,
I'm trying to parse the following strings from a file input:
::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >

As soon as I try to parse the double colon sequence to take the IP address I get _grokparsefailure.

The only way I avoid the parse error is:
match => { "auth" => "\s*.*?" }
that is useless.

Do you have any idea of how to mess with those colons?

thanks
daniele


(Magnus B├Ąck) #2

Colons have no special meaning in regular expressions so I don't understand why you would have a problem. This minimal example shows that it works just fine:

$ cat test.config 
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => {
      "message" => "^::%{IP:ip} < auth.*"
    }
  }
}
$ echo '::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
       "message" => "::10.10.86.13 < auth 10.10.86.13 27/10/2015 13:57:01 [test] [123456789132] [] [] [num|123456789456789|1234567894561234] >",
      "@version" => "1",
    "@timestamp" => "2015-11-05T12:08:21.614Z",
          "host" => "lnxolofon",
            "ip" => "10.10.86.13"
}
Logstash shutdown completed

(Daniele Di Minica) #3

Hi Magnus,
thanks for your reply.
Fortunately the issue was a wrong cut&paste in the grok's match line:
match => { "auth" => "\s*.*?" }
I've replaced "auth" with "message" and it worked.

Thanks!


(system) #4