Logstash grok parsing

Question

We are loading access logs data into elasticsearch using logstash.log file data look like below.

2020-12-14 05:19:27.441 10.20.20.198 - narayana.sathya [14/Dec/2020:05:19:27 +0000] "GET /zoomdata/api/groups/5c9349a029a3fa0700a243ae HTTP/1.1" 200 5552 "https://sidcpdata.abc.com:8443/zoomdata/visualization/5abb7a37498e961613d64bea+5ea7ce37ed982daaa8019c75" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60" 315

Could anybody help me to get GROK pattern for above file , i have written below GROK patten in logstash configuration file but getting error.

grok { match => [ "message", "%{DATESTAMP_12H:timestamp} %{NUMBER:ip} %{WORD:user} %{DATESTAMP_12H:timestamp} %{WORD:api_details} %{NUMBER:responce_type} %{NUMBER:type} %{WORD:dashbaord} %{GREEDYDATA:daemon_message}" ] }

Ankit Ankit · Accepted Answer · 2020-12-22T17:56:35

Try this pattern :

%{TIMESTAMP_ISO8601:Time1}\s%{IPV4:IP}\s-\s%{NOTSPACE:UserName}\s\[%{NOTSPACE:TIME2}.*?\"%{WORD:APIMethod}\s%{URIPATH:API}\s%{NOTSPACE:Protocol}\"\s%{NUMBER:ResponseCode}\s%{NUMBER:PORT}\s\"%{URI:URL}%{GREEDYDATA:daemon_message}"

Logstash grok parsing

1 Answers