WORD is not working in grok filter for Apache logs in Logstash

Hi,

I am using the below grok filter to parse the Apache logs pattern.
The grok filter is :
(%{IPORHOST:clientip})?|%{QUOTEDSTRING:user}|(%{WORD:cust})?|

The first field clientip is optional so have added ? in it. The same applies to cust. cust is also optional.
And the logs are (A part of the Apache log)
-|"User1"|-|

But the above condition is not matching. I tried to split the above filter to see whether each term is matching or not. So, till cust it's matching without any issues, but it's not matching the | (pipe character).

Please help.

Thank You.

Can you write here an example of a line that doesn't match?

| is used for alternation in regexps. You need to escape it using \ if you want to match a literal pipe.

Hi,

I have also tried escaping it but its still not working. The updated grok filter is:

(%{IPORHOST:clientip})?\|%{QUOTEDSTRING:user}\|(%{WORD:cust})?\|

And the example of log is
-|"User1"|-|

I am making clientip and cust as optional.

Thank You

You do not want an optional field, you want an alternation that matches either an IP or -. So something like

(%{IPORHOST:clientip}|-)\|%{QUOTEDSTRING:user}\|(%{WORD:cust}|-)\|

Hi @Badger. Thank you so much for your help. It really worked fine for my log file.

Thanks a lot.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.