0

I have the following logfile (multiple lines)

[25/Nov/2015:15:25:06 +0000] 28minutes.asf-prod.arte.tv GET /profiles/asf/themes/asf/css/grab.png http_code=302 query= uid=0 php_pid=1634 php_time=0.047 queue_wait=0 request_id="v-b52d24dc-9388-11e5-bf44-22000a5ba31e"
[25/Nov/2015:15:25:13 +0000] karambolage.asf-prod.arte.tv GET /fr/la-devinette-194-karambolage http_code=200 query= uid=0 php_pid=1603 php_time=1.113 queue_wait=0 request_id="v-b865c0c8-9388-11e5-9210-22000a5ba31e"

And the following filter for grok

\[%{HTTPDATE:timestamp}\] %{URIHOST:acquia_vhost} %{WORD:verb} %{NOTSPACE:request} http_code=%{NUMBER:response} query=(%{USER:query})? uid=%{NUMBER:uid} php_pid=%{NUMBER:php_pid} php_time=%{NUMBER:php_time} queue_wait=%{NUMBER:queue_wait} request_id=%{QUOTEDSTRING:request_id}\$

I'm testing with http://grokconstructor.appspot.com/do/match#result and I get a 'non matched'.

But I don't see any problem with my pattern :( Thanks for your hellp

Best regards,

Improve this question

2 Answers 2

Reset to default
1

"\$" would mean a dollar sign at the end of your pattern. You have no such thing.

In general, build up your patterns one element at a time. That way, when they break, you know where it was.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks Alain, I try without and now it matches. The other problem was I was checking multiline analysis. Now it's all good, thanks :)
0

Here's a working conf

grok {
      match => { "message" => "\[%{HTTPDATE:timestamp}\] %{URIHOST:acquia_vhost} %{WORD:verb} %{NOTSPACE:request} http_code=%{NUMBER:response} query=(%{NOTSPACE:query})? uid=%{NUMBER:uid} php_pid=%{NUMBER:php_pid} php_time=%{NUMBER:php_time} queue_wait=%{NUMBER:queue_wait} request_id=%{QUOTEDSTRING:request_id}"}
    }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.