Grok is parsing successfully when Haproxy gives a log - from var/log/haproxy.log - similar to:
May 21 08:25:56 ha haproxy[5089]: 12.3.45.67:89012 [21/May/2021:08:25:56.055] www-https~ wss/wssnode website.domain.com 1/1/1/1/111 111 111 - - ---- 11111/11111/11111/111/0 0/0 "GET /ws/site/V3L235F/d88r3567pssllp/ HTTP/1.1"
But when instead of ip_address:port there's a -:port, for example:
May 21 08:25:56 ha haproxy[5089]: -:89012 [21/May/2021:08:25:56.055] www-https~ wss/wssnode website.domain.com 1/1/1/1/111 111 111 - - ---- 11111/11111/11111/111/0 0/0 "GET /ws/site/V3L235F/d88r3567pssllp/ HTTP/1.1"
I have an error:
Provided Grok expressions do not match field value: May 21 08:25:56 ha haproxy[5089]: -:89012 [21/May/2021:08:25:56.055] www-https~ wss/wssnode website.domain.com 1/1/1/1/111 111 111 - - ---- 11111/11111/11111/111/0 0/0 "GET /ws/site/V3L235F/d88r3567pssllp/ HTTP/1.1
Here's my /usr/share/filebeat/module/haproxy/log/pipline.json
I was trying to resolve this by adding a new pattern to grok with message field and by editing grok pattern with source.address field without success.
I had a look at your pipeline grok patterns. Taking cue from that, I modified the IP section a bit.
(%{IP:source.address}|-):%{NUMBER:port}
You can use something like this, I have given test names to the variables. You can changes accordingly.
The output for the following is as follows:
Example 1 => 12.34.56.78:89012
{
"source": [
[
"12.34.56.78"
]
],
"port": [
[
"89012"
]
]
}
Example 2 => -:89012
{
"source": [
[
null
]
],
"port": [
[
"89012"
]
]
}