_grokparsefailure for matching patterns

Rajdeep_Mukherjee · February 23, 2017, 12:18pm

contents of pattern file:
ZX_ERROR \A!%{SPACE}%{DATE:date}%{SPACE}%{TIME:time}%{SPACE}:%{SPACE}(%{JAVACLASS:caused_by})?(%{JAVAFILE:caused_by})?%{GREEDYDATA:error_message}

Logstash config file:

filter {
if "tzx" in [app] {

   mutate {
   gsub => [ "message", "[#\,]", " "  ]
          }
   grok {
   add_tag => [ "tzx" ]
   patterns_dir => "/etc/logstash/patterns"
   match => [ "message" , "%{TZX_ERROR}" ]
        }         }

#Exception Handling
if "_csvparsefailure" in [tags] {
mutate { add_field => { 'threat_type' => 'Warn - Long error message' } }
mutate { remove_tag => [ "_csvparsefailure"] }
}

Rajdeep_Mukherjee · February 23, 2017, 12:21pm

these are the patterns that fail:
! 16/02/17 11:40:56.161 : App.Transaction : For transaction #170216000000580965, transaction result has been changed to 'System Error' due to database transaction rollback

! 16/02/17 11:40:45.549 : App.Interface : Error processing record: Mandatory translation 'OrigFiName -> OrigInstId' not found for OrigFiName='null'

! 24/01/17 01:01:26.870 : App.Transaction : Error on transaction finalize: null

Filebeat configuration:

filebeat:
prospectors:
-
document_type: log
fields:
app: tzx
fields_under_root: true
include_lines:
- ^!
input_type: log
paths:
- /opt/TranzAxis/logs///*/log.
registry_file: /var/lib/filebeat/registry
logging:
files:
rotateeverybytes: 10485760
output:
redis:
db: 0
hosts:
- "q-acqpmq-lbm01.wirecard.sys:6379"
key: filebeat
reconnect_interval: 1
timeout: 5

warkolm · February 24, 2017, 10:04am

What exactly are you asking here?

system · March 24, 2017, 10:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.