Thu Sep 27 15:30:27 BST 2012:- Invalid token $_POST[custom], which indicates the amount, userid
This is from a log file I'm trying to parse using grok for logstash.
The first few fields are ok, and it seemed very close to DATESTAMP_OTHER, but I think that the UK timezone of BST is messing that up.
Got as far as this, but not sure how to make it work!
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %([PMCEB][SD]T) %{YEAR} %{GREEDYDATA:message}
1) Try out the Grok Debugger which will allow you to test your Grok patterns, on the spot.
2) Also, change your %([PMCEB][SD]T) for something like (?<variable_name>(BST)*) to start off with. You are using the wrong syntax for plain regex.
3) Most important Read the docs. Everything I have just mentioned came directly from the docs.