_grokparsefailure general exception handling?

ZillaG · March 27, 2017, 2:02pm

I've perused the forum regarding _grokparsefailure, but they all ask about solving specific log messages. I have a general question.

As I form my Grok filters for one of our applications, I expect to get _grokparsefailure since my filters are incomplete. As I get them, I want to

Mutate one of the fields
Send the log message to Elasticsearch
Search for the index with the mutated field in Kibana

So this will be the last filter I'll have

filter {
  if "_grokparsefailure" in [tags] {
    mutate {
      remove_tag => [ "_grokparsefailure" ]
      replace => {
       "customer" => "grokparsefailure"
      }
    }
  }
}

Then my output filter looks like

output {
  stdout {
    codec => rubydebug
  }

  elasticsearch {
    # other options
    index => "logstash-%{customer}-%{+YYYY.MM.dd}"
  }
}

I can then just form a "logstash-grokparsefailure-*" index in Kibana.

How does this strategy sound?

ZillaG · March 27, 2017, 6:08pm

This approach worked well for me. I can now create a "logstash-grokparsefailure-*" index in Kibana and see all my messages with _grokparsefailure.

system · April 24, 2017, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't even parse very simple data and get _grokparsefailure as a tag Logstash	19	1139	December 12, 2018
What is the best way to handle _grokparsefailure errors Beats filebeat	4	23102	December 14, 2017
Grokparsefailure and don't understand why Elasticsearch	3	4826	July 6, 2017
KIbana doesn't show log events that have resulted in _grokparsefailure Elasticsearch	1	913	July 6, 2017
My grok fikter dont work Logstash	7	397	August 10, 2018

_grokparsefailure general exception handling?

Related topics