_grokparsefailure general exception handling?

ZillaG · March 27, 2017, 2:02pm

I've perused the forum regarding _grokparsefailure, but they all ask about solving specific log messages. I have a general question.

As I form my Grok filters for one of our applications, I expect to get _grokparsefailure since my filters are incomplete. As I get them, I want to

Mutate one of the fields
Send the log message to Elasticsearch
Search for the index with the mutated field in Kibana

So this will be the last filter I'll have

filter {
  if "_grokparsefailure" in [tags] {
    mutate {
      remove_tag => [ "_grokparsefailure" ]
      replace => {
       "customer" => "grokparsefailure"
      }
    }
  }
}

Then my output filter looks like

output {
  stdout {
    codec => rubydebug
  }

  elasticsearch {
    # other options
    index => "logstash-%{customer}-%{+YYYY.MM.dd}"
  }
}

I can then just form a "logstash-grokparsefailure-*" index in Kibana.

How does this strategy sound?

ZillaG · March 27, 2017, 6:08pm

This approach worked well for me. I can now create a "logstash-grokparsefailure-*" index in Kibana and see all my messages with _grokparsefailure.

system · April 24, 2017, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Handling Filter Errors Logstash	3	2551	November 18, 2021
_grokparsefailure on kibana for record through logstash Logstash	2	323	November 16, 2021
Grokparsefailure in processing a log file Logstash	6	262	March 3, 2023
Handle filter exception in Logstash Logstash	4	1464	November 6, 2018
Logstash Filters Logstash	8	736	July 6, 2017

_grokparsefailure general exception handling?

Related topics