Test grok patterns

This tries to parse a set of given logfile lines with a given grok regular expression (based on Oniguruma regular expressions ) and prints the matches for named patterns for each log line. You can also apply a multiline filter first.

Please enter some loglines for which you want to check a grok pattern, the grok expression that should match these, mark the pattern libraries you draw your patterns from and then press

You can also just try this out with a

random example

Some log lines you want to match. PLEASE NOTE: For the construction algorithms you should use SEVERAL LINES that should match the pattern, and choose lines that are as diverse as possible. That reduces the search space. The more, the better (within reasonable limits, of course).

The (unquoted!) pattern that should match all logfile lines.(Please keep in mind that the whole log line / message is searched for this pattern; if you want this to match the whole line, enclose it in ^ $ or \A \Z. This speeds up the search - especially if the pattern is not found.)

Please mark the libraries of grok Patterns from logstash v.2.4.0 which you want to use. You probably want to use grok-patterns if you use any of the others, since they rely on the basic patterns defined there.

You can also provide a library of some additional grok patterns in the same format as the pattern files linked above. On each line you give a pattern name, a space and the pattern. For example: WORD \b\w+\b

If you want to use logstash's multiline filter please specify the used pattern (can include grok Patterns):

negate the multiline regex

10.121.123.104 - - [01/Nov/2012:21:01:04 +0100] "GET /cluster HTTP/1.1" 200 1272
MATCHED
httpversion	1.1
request	/cluster
timestamp	01/Nov/2012:21:01:04·+0100
auth
clientip	10.121.123.104
bytes	1272
response	200
ident
verb	GET
10.121.123.104 - - [01/Nov/2012:21:01:17 +0100] "GET /cpc/auth.do?loginsetup=true&targetPage=%2Fcpc%2F HTTP/1.1" 302 466
MATCHED
httpversion	1.1
request	/cpc/auth.do?loginsetup=true&targetPage=%2Fcpc%2F
timestamp	01/Nov/2012:21:01:17·+0100
auth
clientip	10.121.123.104
bytes	466
response	302
ident
verb	GET
10.121.123.104 - - [01/Nov/2012:21:01:18 +0100] "GET /cpc?loginsetup=true&targetPage=%252Fcpc%252F HTTP/1.1" 302 -
MATCHED
httpversion	1.1
request	/cpc?loginsetup=true&targetPage=%252Fcpc%252F
timestamp	01/Nov/2012:21:01:18·+0100
auth
clientip	10.121.123.104
bytes
response	302
ident
verb	GET
10.121.123.104 - - [01/Nov/2012:21:01:18 +0100] "GET /cpc/auth.do?loginsetup=true&targetPage=%25252Fcpc%25252F&loginsetup=true HTTP/1.1" 302 494
MATCHED
httpversion	1.1
request	/cpc/auth.do?loginsetup=true&targetPage=%25252Fcpc%25252F&loginsetup=true
timestamp	01/Nov/2012:21:01:18·+0100
auth
clientip	10.121.123.104
bytes	494
response	302
ident
verb	GET