@type parser reserve_data true format grok key_name message grok_pattern \[%{HTTPDATE:Timestamp}\] "(?:%{WORD:http_method} %{NOTSPACE:http_url}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{NUMBER:http_status} (?:\d+|-) time_key Timestamp time_format %d/%b/%Y:%H:%M:%S %z keep_time_key true