Hi Guys, Need an expert help to parse the IIS access logs as shown below, I am new to grok parser and finding it difficult to parse below IIS log format, can someone please help with grok pattern.
I am using Telegraf 3.1.1 to parse this log Input from IIS logs one line --------------------------------------------- #Fields: *date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken* 2017-02-02 15:22:17 W3SVC1 axy1-wpsdwrd-01 10.223.1.5 GET /news/news.asp id=106381 80 - 10.111.222.333 HTTP/1.1 Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) - - www.google.co.uk:40004 404 0 2 1439 422 0 Grok pattern tried so far which does not work, used the debugger but can't find what am I missing - https://grokdebug.herokuapp.com/ CUSTOM_LOG %{DATESTAMP:EventTime} %{WORD:sitename} %{HOSTNAME:computername} %{IP:hostip} %{URIPROTO:method} %{URIPATH:request} (?:%{NOTSPACE:queryparam}|-) %{NUMBER:port} (?:%{WORD:username}|-) %{IP:clientip} %{NOTSPACE:httpversion} %{NOTSPACE:user-agent} (?:%{NOTSPACE:cookie}|-) (?:%{NOTSPACE:referer}|-) (?:%{HOSTNAME:host}|-) %{NUMBER:status} %{NUMBER:sub-status} %{NUMBER:win32-status} %{NUMBER:bytes-received} %{NUMBER:bytes-sent} %{NUMBER:time-taken} Appreciate your help in advance. Thank you, Kamal -- Remember to include the version number! --- You received this message because you are subscribed to the Google Groups "InfluxData" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/influxdb. To view this discussion on the web visit https://groups.google.com/d/msgid/influxdb/CAPFArmqFgxOV%2BbxzPUqeHoQOFvVGxzA3b%3DxiD516UbAmJ3F7Lg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
