In my previous posts, I have shown how to test grok patterns locally using Ruby on Linux and Windows. This works well when your VM do not have full internet access, or only have console access, or any reason that you want to test it locally.
If you have access to a graphical web browser and the log file, there is a nice online grok constructor here and here. and by simply entering a sampling of the log lines and a grok pattern, you can verify that all the lines are parsed correctly.
Here is a small example to start you off:
Go to the grok constructor at, http://grokconstructor.appspot.com/do/match
Enter the following line in the top box as an example Apache log line:
127.0.0.1 – – [11/Dec/2013:00:01:45 -0800] “GET /xampp/status.php HTTP/1.1” 200 3891 “http://cadenza/xampp/navi.php” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0”
In the pattern box below it, use the pre-canned grok pattern for Apache
%{COMBINEDAPACHELOG}
Then press the “Go!” button at the top and see how the line gets parsed into its constituent fields.
REFERENCES
http://grokdebug.herokuapp.com/