HTTP Parsing fails
Grok Pattern Working Logs
172.27.81.113, 192.34.56.67 - - [07/Jan/2018:19:00:30 -0500] RspTime= 555 microsecond + "GET / HTTP/1.1" 200 3493 - "-" "-"
GrokPattern Non Working Log
- - - [07/Jan/2018:19:00:30 -0500] RspTime= 666 microsecond + "GET / HTTP/1.1" 600 6493 - "-" "-"
Grok Pattern I have:
{
"description": "Parse HTTP Access Logs",
"processors": [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{NOTSPACE:client} %{NOTSPACE:ident} %{NOTSPACE:auth} \[%{HTTPDATE:ts}\] (?:RspTime\= %{NUMBER:timetaken} microsecond) %{NOTSPACE:connstatus} \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?(?:%{HOSTNAME:server})(?:\:%{NUMBER:portnumber})|-) \"(?:%{DATA:referer}|-)\" \"(?:%{DATA:UserAgent}|-)\""
],
I tried (?:%{IPORHOST:client}|-)
and %{NOTSPACE:client}
, still I face issues with parsing the log which has the first field as -
.
Can anyone help us?