i'm new to logstash and grok and have a question regarding a pattern. I'm trying to create a grok pattern for my apache error logs. However i'm a bit confused about the following behavior.
If i use the underlying match in http://grokdebug.herokuapp.com/:
%{LOGLEVEL:severity%{IPV4:clientip}%{GREEDYDATA:errormsg}
I get a no match on the following log snippet:
[Sun Apr 10 09:28:01 2016] [error] [client 111.11.111.111] File does not exist: /var/www/html/favicon.ico
Now all the patterns work if i run %{LOGLEVEL:severity} or %{IPV4:clientip}%{GREEDYDATA:errormsg} seperately. But if i try it together i get a "no match" return.
I think this is happening because the %{LOGLEVEL:severity} truncates the rest of the log but i cannot figure why.
Anybody have any suggestion as to what i'm doing wrong ?
Thank you in advance.