Hi, when i upload a string of apache log in kibana i see one with real timestamp and the same string with timestamp of uploaded . I use the mapping founded on github here https://github.com/elastic/examples/tree/master/ElasticStack_apache.
In the first example your grok filter isn't working on your log line so the date filter that otherwise would take the timestamp from the log and store it in the @timestamp field doesn't work either.
Hi @magnusbaeck i use:
filter {
grok {
match => {
"message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:respon$
}
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "@timestamp"
locale => en
}
Now my question is i have the same type of log(apache), why grok filter match only some strings and not all strings? What is wrong?
Thank you for replay.
Show an example of a log line that the grok filter couldn't parse. Use copy/paste, don't post a screenshot. Please also post exactly what your grok filter looks like. The configuration you posted above is damaged (your grok expression hardly ends with "%{NUMBER:respon$"). Make sure you post your configuration as preformatted text using the </> toolbar button.
@magnusbaeck , this is my grok config:
grok {
match => {
"message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBE:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}'
}
}
I know you ask me a complete string of log but when i investigate of this issues i've founded some similar anomalies.
Watch yellow circle.
For me the error is that my filter grok doesn't match the message started with "-"
Thanks for replays
Okay, so replace
%{IPORHOST:clientip}
with
(?:-|%{IPORHOST:clientip})
to make the initial IP address optional.
Hi @magnusbaeck I have another problem with that filter grok and i think it's for request or HTTP verbs.
Show an example of a log line that the grok filter couldn't parse. Use copy/paste, don't post a screenshot. Please also post exactly what your grok filter looks like.
This is my grok filter
grok {
match => {
"message" => '(?:-|%{IPORHOST:clientip}) %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}'
}
}
and this is two apache log string
"188.135.227 - - [14/Mar/2017:11:11:15 +0100] "BASELINE-CONTROL /banner/fileadmin/fileadmin/T2uCB7.htm HTTP/1.1" 200 33611 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" "10.0.148861205248" "-" "59194""
"188.135.227 - - [14/Mar/2017:11:11:11 +0100] "X-MS-ENUMATTS /banner/fileadmin/vLkgrYq.htm HTTP/1.1" 200 33611 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" "10.0.148861205248" "-" "61982""
Thank you very much @magnusbaeck for your help
Try %{NOTSPACE:verb} instead of %{WORD:verb}.
It go, but why word doesn't go?
Thank you very much for replay
Because of the hyphens. \w doesn't include hyphens.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
