_grokparsefailure general exception handling?

ZillaG · March 27, 2017, 2:02pm

I've perused the forum regarding _grokparsefailure, but they all ask about solving specific log messages. I have a general question.

As I form my Grok filters for one of our applications, I expect to get _grokparsefailure since my filters are incomplete. As I get them, I want to

Mutate one of the fields
Send the log message to Elasticsearch
Search for the index with the mutated field in Kibana

So this will be the last filter I'll have

filter {
  if "_grokparsefailure" in [tags] {
    mutate {
      remove_tag => [ "_grokparsefailure" ]
      replace => {
       "customer" => "grokparsefailure"
      }
    }
  }
}

Then my output filter looks like

output {
  stdout {
    codec => rubydebug
  }

  elasticsearch {
    # other options
    index => "logstash-%{customer}-%{+YYYY.MM.dd}"
  }
}

I can then just form a "logstash-grokparsefailure-*" index in Kibana.

How does this strategy sound?

ZillaG · March 27, 2017, 6:08pm

This approach worked well for me. I can now create a "logstash-grokparsefailure-*" index in Kibana and see all my messages with _grokparsefailure.

system · April 24, 2017, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.