I have a pattern basicly copies the grok built-in COMMON_LOG_FORMAT pattern. Only difference is the target log I want to match may contain different time formats, so I incorporated two patterns for it.
My grok patterns go as below:
%{IP:client_ip} %{NOTSPACE:ident} %{NOTSPACE:auth} \[(?:%{HTTPDATE:ts}|%{TIMESTAMP_ISO8601:ts})\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:request_body})" %{NUMBER:resp_code} (?:%{NUMBER:resp_bytes}|-) "%{NOTSPACE:referrer}" "%{DATA:agent}"
A target example log entry looks like below,
192.168.142.209 - - [2023-06-25 08:41:47] "POST /portal//callProvider HTTP/1.1" 200 75395 "http://192.168.0.1:8888/xxx.html?token=xxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
192.168.21.114 - - [10/May/2023:15:38:16 +0800] "POST /portal/getIpAddr HTTP/1.1" 200 13 "http://192.168.2.1:8888/xxxx.html?page=xxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
The problem is, my grok rules tests fine on grok debugger, as snapshot below:
But telegraf reports the following error,
2023-09-11T17:59:39Z D! [parsers.grok::tail] Grok no match found for: "192.168.142.209 - - [2023-06-25 08:41:47] \"POST /portal//callProvider HTTP/1.1\" 200 75395 \"http://192.168.0.1:8888/xxx.html?token=xxxx\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36\""
Any insights where I messed up?
telegraf version 1.27.4, with input.tail and grok as parser