Why _grokparsefailer doesn't give specific error

Hello Good folks,

when we have grokparseerror, how can I understand where the error is generated while parsing?
I just tried to grab the first two fields from the file using the following grok filter. It threw error without actually giving details.

		match=>["message",'\[%{HTTPDATE:timestamp}\] %{WORD:efw}']

The file I am reading.

[2017-03-03 16:06:02] EFW: TCP_FLAG: prio=2 id=03300004 rev=1 event=tcp_flag_set action=strip_flag bad_flag=ECN rule=TCPECN recvif=interface srcip= destip= ipdf=1 ipproto=TCP ipdatalen=32 srcport=13111 destport=80 tcphdrlen=32 syn=1 ece=1 cwr=1

Logstash error:

Regular expression matchers typically don't provide details about what part of the expression matched and what part didn't.

The key is to build your expressions gradually. Start with the very simplest you can. When that works, move on by adding more to the end of your expression. Continue until you're done or until it stops matching.

In this particular case the problem is that you're using HTTPDATE. Its definition looks like this:

Clearly, this doesn't match the timestamp you have. Try TIMESTAMP_ISO8601 instead.

Have you tried using the grok constructor web site?

That worked Magnusbaeck. Thank You

Can you suggest me any site/links that have samples with grok filters? I googled. I found some blogs but not good samples in them.

thank you

Grok is just a convenience layer on top of regular expressions, and regular expressions are explained in many places. If you understand regular expressions then you'll understand grok in no time.

Thank You

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.