Why _grokparsefailure?

Part of a config

filter {
  if [message] =~ /actions/ or [message] =~ /172\.16\.10\.78/ or [message] =~ /172\.16\.10\.77/ {
  grok {
    match => [ "message",
               "%{GREEDYDATA:timestamp}%{LOGLEVEL:level}%{GREEDYDATA:data}"
             ]
  }

log string

2024-01-26 10:38:40.503 DEBUG [actions,,] 7 --- [/api/v2/spans}}] o.s.w.HttpLogging : HTTP POST http://172.16.10.78:9411/api/v2/spans

And here how it looks like at kibana

Why _grokparsefailure ?

You are missing spaces.

Grok should be something like this:
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} \[%{DATA:something1},%{DATA:something2},%{DATA:something3}\] %{POSINT:mum} %{DATA:something4} \[%{DATA:something5}\] %{DATA:method} : %{DATA:protocol} %{DATA:httpmethod} %{URI:url}$

Also you can use %(SPACE) or \s+ instead of space " "

Can i use
"%{GREEDYDATA:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:data}"
?

Yes, nobody forbids you, however you will get:

timestamp: 2024-01-26·10:38:40.503
level: DEBU
data: [actions,,]·7·---·[/api/v2/spans}}]·o.s.w.HttpLogging·:·HTTP·POST·http://172.16.10.78:9411/api/v2/spans

According to ELK grok pattern i got

{
  "data": "[actions,,] 7 --- [/api/v2/spans}}] o.s.w.HttpLogging : HTTP POST http://172.16.10.78:9411/api/v2/spans",
  "level": "DEBUG",
  "timestamp": "2024-01-26 10:38:40.503"
}

Exactly what I wrote above.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.