It is time consuming to restart the entire Logstash service and refeed it input when working on a grokparsefailure. Here is an easy way to test a line of input or log file against a grok pattern:
First, install Ruby, RubyGems, jls-grok, and create our sample program:
$ sudo apt-get install ruby ruby-dev rubygems-integration -y $ sudo gem install jls-grok $ wget --no-check-certificate https://raw.githubusercontent.com/logstash-plugins/logstash-patterns-core/master/patterns/grok-patterns $ vi teststdin.rb
#!/usr/bin/env ruby
require "rubygems"
require "grok-pure" # for ruby 1.9
require "pp"
grok = Grok.new
# more patterns available:
# https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
grok.add_patterns_from_file("grok-patterns")
# enter your desired pattern below
# example input that will match timestamp, 2016-05-25 09:01:02
pattern = "%{TIMESTAMP_ISO8601}"
grok.compile(pattern)
puts "Pattern: #{pattern}"
while line = gets
puts "IN: #{line}"
match = grok.match(line)
if match
puts "MATCH:"
pp match.captures
else
puts "SORRY, no match!"
end
end
Then execute the Ruby script. The program takes lines from standard input, so type input manually or pipe a file into stdin (cat mytest.log | ./teststdin.rb).
$ chmod u+r+x teststdin.rb $ ./teststdin.rb
REFERENCES
http://bealetech.com/blog/2012/05/15/testing-logstash-grok-filters/
https://github.com/jordansissel/ruby-grok/blob/master/examples/test.rb
http://blog.jasonantman.com/2012/09/rvm-and-ruby-1-9-to-test-logstash-grok-patterns-on-fedoracentos/