Grok pattern for logstash / elasticsearch
Question
I have the following logfile (multiple lines)
[25/Nov/2015:15:25:06 +0000] 28minutes.asf-prod.arte.tv GET /profiles/asf/themes/asf/css/grab.png http_code=302 query= uid=0 php_pid=1634 php_time=0.047 queue_wait=0 request_id="v-b52d24dc-9388-11e5-bf44-22000a5ba31e"
[25/Nov/2015:15:25:13 +0000] karambolage.asf-prod.arte.tv GET /fr/la-devinette-194-karambolage http_code=200 query= uid=0 php_pid=1603 php_time=1.113 queue_wait=0 request_id="v-b865c0c8-9388-11e5-9210-22000a5ba31e"
And the following filter for grok
\[%{HTTPDATE:timestamp}\] %{URIHOST:acquia_vhost} %{WORD:verb} %{NOTSPACE:request} http_code=%{NUMBER:response} query=(%{USER:query})? uid=%{NUMBER:uid} php_pid=%{NUMBER:php_pid} php_time=%{NUMBER:php_time} queue_wait=%{NUMBER:queue_wait} request_id=%{QUOTEDSTRING:request_id}\$
I'm testing with http://grokconstructor.appspot.com/do/match#result and I get a 'non matched'.
But I don't see any problem with my pattern :( Thanks for your hellp
Best regards,
2 answers
solution1
1 2015-11-25 16:02:46
"\\$" would mean a dollar sign at the end of your pattern. You have no such thing.
In general, build up your patterns one element at a time. That way, when they break, you know where it was.
solution2
0 ACCPTED 2016-01-15 09:40:30
Here's a working conf
grok {
match => { "message" => "\[%{HTTPDATE:timestamp}\] %{URIHOST:acquia_vhost} %{WORD:verb} %{NOTSPACE:request} http_code=%{NUMBER:response} query=(%{NOTSPACE:query})? uid=%{NUMBER:uid} php_pid=%{NUMBER:php_pid} php_time=%{NUMBER:php_time} queue_wait=%{NUMBER:queue_wait} request_id=%{QUOTEDSTRING:request_id}"}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.