Ever wanted to know why your grok patterns does not work? This might help a little.

grok_tester.rb

require 'rubygems'
require 'pp'
# gem install jsl-grok
require 'grok-pure'

# Variable just to DRY it
BASE_PATH = '/home/michal/iw/puppet/modules/logstash/files'
# Set where are your grok patterns stored
PATTERN_GLOB = [
  "#{BASE_PATH}/grok_patterns/*", 
  "#{BASE_PATH}/grok.d/access_log" 
]
# Text to match
TEXT = "lib01.intraworlds-resources.com | 80 | 178.199.249.47 | [31/May/2013:11:46:31 +0200] | GET /portal/application-v6.0//VERSION_72458/jquery-lib/prettyPhoto/js/jquery.prettyPhoto.js HTTP/1.1 | 200 | 6016 | https://www.bws-world.de/user/profile | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:21.0) Gecko/20100101 Firefox/21.0 | 1817 | -"
# Try this match pattern out and see what shakes.
PATTERN = '%{IPORHOST:domain} \| %{NUMBER:port} \| %{IPORHOST:clientip} \| \[%{HTTPDATE:timestamp}\] \| %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} \| %{NUMBER:response} \| (?:%{NUMBER:bytes}|-) \| (?:%{URI:referrer}|-) \| %{DATA:agent} \| %{NUMBER:duration:int} \| (?:%{WORD:phpsessid}|-)'

# Set a new matcher
grok = Grok.new
# Load patterns
PATTERN_GLOB.each do |glob|
  Dir.glob(glob).each do |file|
    grok.add_patterns_from_file(file)
  end
end

grok.compile(PATTERN)
match = grok.match(TEXT)

if match == false
  puts "Pattern:\n%s\n\nDoes not match input:\n%s" % [PATTERN, TEXT]
else
  pp match.captures
end