0

My log file has a single line (taken from the tutorial log file):

55.3.244.1 GET /index.html 15824 0.043

My conf file looks something like this:

input {
  file {
    path => "../http.log"
    type => "http"
  }
}

filter {
  grok {
    type => "http"
    match => [ "message", "%{IP:client}" ]
  }
}

I tested my grok filter with the grok debugger and it worked. I'm at a loss of what I am doing wrong. I get a [0] "_grokparsefailure" every time

user1077071
  • 901
  • 6
  • 16
  • 29
  • I can't reproduce this with Logstash 1.4.2. – Magnus Bäck Nov 21 '14 at 09:19
  • I am using logstash-1.1.12-flatjar.jar, let me try with latest the latest logstash. Are you saying this worked for you with 1.4.2? – user1077071 Nov 21 '14 at 18:29
  • Quick question - how do you run a conf file with logstash 1.4.2? Is it just bin/logstash -f file.conf? – user1077071 Nov 21 '14 at 18:32
  • Yes, it worked with 1.4.2. Yes, `bin/logstash -f file.conf` is fine. See the answer from @user3195649 though. That's what I thought you'd have to do before I discovered that what you had actually appears to work. – Magnus Bäck Nov 22 '14 at 18:58
  • Don't use grok->type. Put a conditional around the grok: if [type] == "http" { grok {} } – Alain Collins Nov 23 '14 at 03:08

1 Answers1

2

As far as debugging a grok filter goes, you can use this link (http://grokdebug.herokuapp.com/) It has a very comprehensive pattern detector which is a good start.

If you only care about the IP and not the remainig part of the log message, following filter should work for you.

%{IP:host} %{GREEDYDATA:remaining_data}

The best method to debug is use, stdin and stdout plugins for logstash and debug your grok patterns.

You can find the documentation here http://logstash.net/docs/1.4.2/

user3195649
  • 437
  • 1
  • 6
  • 11