Unable to get grok filter working
Description
Gliffy Diagrams
Activity
Show:
Jordan Sissel October 12, 2011 at 6:36 AM
marking this resolved - if you are still having issues, feel free to reopen
Chris DiMartino October 11, 2011 at 9:19 PM
Sounds good. I'll give it a try.
Jordan Sissel October 11, 2011 at 9:10 PM
It also might please you to know that the next version of logstash has grok re-implemented in ruby (and it's faster than calling from ruby->libgrok) so you don't have to chase dependencies for grok anymore
You are welcome to use the 1.1.0 beta which has this change and others -
http://semicomplete.com/files/logstash/logstash-1.1.0beta4-monolithic.jar
Chris DiMartino October 11, 2011 at 9:08 PM
Excellent! Thanks.
Jordan Sissel October 11, 2011 at 9:04 PM
This error generally means your libpcre is too old.
Are you on CentOS 5? If so, you're likely on version 6.8 or something like it, grok requires libpcre 7.8 or newer.
I am using the current version of Logstash and Grok. I've tried the logstash gem as well as the standalone monolithic jar. I've tried both a yaml and non-yaml configuration file. No matter what I try, I get the following error:
Internal compiler error: unrecognized character after (?<
Regexp: (?!<\\)%{(?<name>(?<pattern>[A-z0-9])(?:?<subname>[A-z0-9_:]))?)(?:=(?<definition>(??P<curly2>{(??>
|(?>
[{}]))|(?P>curly2))})|(?:
|\\[{}]))))?\s(?<predicate>(??P<curly>{(??>
|(?>
[{}]))|(?P>curly))*})|(?:
|
[{}]))+)?}
Position: 13
After this, all records that should match this filter are being tagged as _grokparsefailure and none of the fields are broken out. This happens with simple or complex patterns:
%{DATA:address}
or
"%{URIHOST:address} (?:%{USER:auth}| ) [%{HTTPDATE:ts}] %{WORD:action} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version} %{QS:status} %{BASE10NUM:bytes} %{QS:referer} %{QS:user_agent} %{QS:forwarded_for} %{QS:upstream}"
What could be the issue? I've tried with older versions of the jls-grok gem (0.4.7) as well as the current (0.9.0). What else can I try?