Test grok patterns

This tries to parse a set of given logfile lines with a given grok regular expression (based on Oniguruma regular expressions ) and prints the matches for named patterns for each log line. You can also apply a multiline filter first.

Please enter some loglines for which you want to check a grok pattern, the grok expression that should match these, mark the pattern libraries you draw your patterns from and then press

You can also just try this out with a

random example

Some log lines you want to match. PLEASE NOTE: For the construction algorithms you should use SEVERAL LINES that should match the pattern, and choose lines that are as diverse as possible. That reduces the search space. The more, the better (within reasonable limits, of course).

The (unquoted!) pattern that should match all logfile lines.(Please keep in mind that the whole log line / message is searched for this pattern; if you want this to match the whole line, enclose it in ^ $ or \A \Z. This speeds up the search - especially if the pattern is not found.)

Please mark the libraries of grok Patterns from logstash v.2.4.0 which you want to use. You probably want to use grok-patterns if you use any of the others, since they rely on the basic patterns defined there.

You can also provide a library of some additional grok patterns in the same format as the pattern files linked above. On each line you give a pattern name, a space and the pattern. For example: WORD \b\w+\b

If you want to use logstash's multiline filter please specify the used pattern (can include grok Patterns):

negate the multiline regex

"uRzbUwp5eZgAAAAaqIAAAAAa" \| 5.3.2.1 - - - [24/Feb/2013:13:40:51 +0100] "GET /cpc HTTP/1.1" 302 -
MATCHED
rid	uRzbUwp5eZgAAAAaqIAAAAAa
httpversion	1.1
request	/cpc
timestamp	24/Feb/2013:13:40:51·+0100
auth
forwardedfor
clientip	5.3.2.1
bytes
response	302
ident
verb	GET
"URzbTwp5eZgAAAAWlbUAAAAV" \| 4.3.2.7 - - - [14/Feb/2013:13:40:47 +0100] "GET /cpc/finish.do?cd=true&mea_d=0&targetPage=%2Fcpc%2F HTTP/1.1" 200 5264
MATCHED
rid	URzbTwp5eZgAAAAWlbUAAAAV
httpversion	1.1
request	/cpc/finish.do?cd=true&mea_d=0&targetPage=%2Fcpc%2F
timestamp	14/Feb/2013:13:40:47·+0100
auth
forwardedfor
clientip	4.3.2.7
bytes	5264
response	200
ident
verb	GET
"URzbUwp5eZgAAAAaqIEAAAAa" \| 4.3.2.1 - - - [14/Feb/2013:13:40:51 +0100] "GET /cpc/ HTTP/1.1" 402 -
MATCHED
rid	URzbUwp5eZgAAAAaqIEAAAAa
httpversion	1.1
request	/cpc/
timestamp	14/Feb/2013:13:40:51·+0100
auth
forwardedfor
clientip	4.3.2.1
bytes
response	402
ident
verb	GET
"URzbUwp5eZgAAAAWlbYAAAAV" \| 4.3.2.1 - - - [14/Feb/2013:13:40:51 +0100] "POST /cpc/ HTTP/1.1" 305 -
MATCHED
rid	URzbUwp5eZgAAAAWlbYAAAAV
httpversion	1.1
request	/cpc/
timestamp	14/Feb/2013:13:40:51·+0100
auth
forwardedfor
clientip	4.3.2.1
bytes
response	305
ident
verb	POST
after match: