Unable to Creating Grok Extractor

Graylog Central (peer support)
1

Hi,

I have been trying for a while now to setup a grok extractor on one of my inputs. However I cant get the grok extractor to save. Any help with what I’m doing wrong would be appreciated.

This is the grok pattern I’ve added:
IPORHOST %{IPORHOST:clientip}

This is the error that I’m getting when I click create extractor:
Error

Does graylog have to be able to parse the full field before it will save. I’m tried %{GREEDYDATA} grok pattern and that didn’t work for me either.

2

hej @BruiserT

you just cut off the message that might help with that. In addition did you check the Graylog server.log about the message?

Did you try the Try button?

3

Yes I’ve tried both try and create. I get a 400 error when I do try and a 500 when try to create the extractor

Here’s more of the details that are missing.

Try error messages:

Browser message:
We were not able to run the grok extraction. Please check your parameters.
Details: Error: cannot POST https://graylog.test.com/api/tools/grok_tester (500)

Graylog server error:
2017-12-14T09:41:36.066Z ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
oi.thekraken.grok.api.exception.GrokException: Deep recursion pattern compilation of %{IPORHOST}

Create Error messages:

Browser message:
Could not create extractor
Creating extractor failed: Error: cannot POST https://graylog.test.com/api/system/inputs/5a2c77ff60ddd007ab45f265/extractors (400)

Graylog server error:
2017-12-14T09:47:55.601Z ERROR [ExtractorsResource] Cannot create extractor. Missing configuration.
org.graylog2.ConfigurationException: Unable to parse grok patterns

4

Figured this out , you have to use a regex in the grok pattern you add to graylog as graylog does not come with a perdefined list like the online grok tester.

Thank You for the quick reply.

5

depending on the way of your installation, Graylog has Grok Patterns delivered on installation.

In addition they can be added in System > Grok Patterns as complete file or as single pattern.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.