grok filter written with regex always fail / grokparsefailure

Question

I written a grokfilter with regex and in the Grok Debugger the config works without errors but when i want to match in the logstash.conf the result is always a "grokparsefailure"

The message I want to match is: 10.196.3.3 - - [01/Aug/2014:00:00:16 +0200] "GET / HTTP/1.1" 200 1507 "-" "-"

My filter in the grok debugger is:

(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"

The complete conf is:

input {

file {
type => 'jboss_log'
path => '/home/christian/Downloads/access-logs-2014-08/vlpr133-2014-08/jBoss_http_access*.log'
start_position => 'beginning'
}
}

filter {
        if [type] == 'jboss_log' {
        grok {
match => [' message', '(?<clientIP>[^ ]*)[^\[]*\[(?<timestamp>.{26})] "(?<httpRequest>[^"]*)" (?<httpStatusCode>\d{3}) (?<bytesSent>[^ ]*) "(?<Referer>[^"]*)" "(?<userAgent>[^"]*)"']

#tag_on_failure => [ ]

}}}

output {
stdout{codec => json }
elasticsearch {cluster => 'elasticsearch' }
}

So maybe someone can help me please?!

Can you put add the record with the `_grokparsefailure` to your question? It could be there's some sort of hidden character that's not matching and that should be a little more obvious from the output. (also might want to try codec=>rubydebug since it's a little more readable than the json output) — Alcanzar, Nov 10 '14 at 14:21

score 0 · Answer 1 · answered Nov 10 '14 at 14:42

0

ups the solution is there is a whitespace before ' message' :D

answered Nov 10 '14 at 14:42

Christian

1

grok filter written with regex always fail / grokparsefailure

1 Answers1