_grokparsefailure - "message": "\u00002\u00000

Elastic Stack Logstash
1

My log data is like,
2016-03-31 18:04:04,124 - [Messages_Router - FN7SVCT2] - [590] DEBUG Ifn.Messages.Router.MessageHandlerFactory [(null)] - ProcessQueue: ProcessingW2DocumentRouterMessage
2016-03-31 18:04:04,124 - [Messages_Router - FN7SVCT2] - [590] DEBUG Ifn.Messages.Router.MessageHandlerFactory [(null)] - ProcessQueue: Message is delayed, sending back to queue
2016-03-31 18:04:04,124 - [Messages_Router - FN7SVCT2] - [590] DEBUG Ifn.Messages.Router.MessageHandlerFactory [(null)] - ProcessQueue: ProcessingW2DocumentRouterMessage

My Pattern is:
grok {
match => ["message", "%{TIMESTAMP_ISO8601:logDate} - [%{WORD:AppName} - %{WORD:ServerName}] - [%{WORD:ThreadNumber}] %{WORD:LevelType} %{GREEDYDATA:MainText}"]

	}

the grokdebugger can prase it fine, but I keep getting _grokparsefailure.

the output is:
{
"_index": "test.03",
"_type": "test",
"_id": "AVPNOXyAjo8MFXx7teDk",
"_score": null,
"source": {
"message": "\u00002\u00000\u00001\u00006\u0000-\u00000\u00003\u0000-\u00003\u00001\u0000 \u00001\u00008\u0000:\u00001\u00000\u0000:\u00000\u00008\u0000,\u00008\u00004\u00003\u0000 \u0000-\u0000 \u0000[\u0000M\u0000e\u0000s\u0000s\u0000a\u0000g\u0000e\u0000s\u0000\u0000R\u0000o\u0000u\u0000t\u0000e\u0000r\u0000 \u0000-\u0000 \u0000F\u0000N\u00007\u0000S\u0000V\u0000C\u0000T\u00002\u0000]\u0000 \u0000-\u0000 \u0000[\u00007\u00008\u00007\u0000]\u0000 \u0000D\u0000E\u0000B\u0000U\u0000G\u0000 \u0000I\u0000f\u0000n\u0000.\u0000M\u0000e\u0000s\u0000s\u0000a\u0000g\u0000e\u0000s\u0000.\u0000R\u0000o\u0000u\u0000t\u0000e\u0000r\u0000.\u0000M\u0000e\u0000s\u0000s\u0000a\u0000g\u0000e\u0000H\u0000a\u0000n\u0000d\u0000l\u0000e\u0000r\u0000F\u0000a\u0000c\u0000t\u0000o\u0000r\u0000y\u0000 \u0000[\u0000(\u0000n\u0000u\u0000l\u0000l\u0000)\u0000]\u0000 \u0000-\u0000 \u0000I\u0000s\u0000O\u0000v\u0000e\u0000r\u0000l\u0000o\u0000a\u0000d\u0000e\u0000d\u0000:\u0000 \u0000T\u0000h\u0000r\u0000e\u0000a\u0000d\u0000C\u0000o\u0000u\u0000n\u0000t\u0000e\u0000r\u0000:\u0000 \u00000\u0000\r\u0000",
"@version": "1",
"@timestamp": "2016-03-31T15:10:09.088Z",
"host": "btslogstt1",
"path": "//fn7svct2/Logs/MessageRouter_FN7SVCT2.log",
"type": "test",
"tags": [
"_grokparsefailure"
]
},
"fields": {
"@timestamp": [
1459437009088
]
},
"sort": [
1459437009088
]
}

any help much appreciated, thanks

2

Looks like an encoding issue more than anything, can you paste your entire config?

Also please use a better subject next time, "_grokparsefailure" tells us nothing about the problem you are dealing with when many other people also have this error.

3

even a simple %{GREEDYDATA:msg} doesn't work.
Sorry about the topic, changed it :slight_smile:

the .conf file:
input {
file
{
path => [
"//Logs/*.log"
]
}
}

filter 
{
		 mutate { replace => { "type" => "test_app" } }
	
	grok { 
  match => { "message" => "%{TIMESTAMP_ISO8601:logDate} - %{GREEDYDATA:msg}" } 
}
	# commented out to check a simpler parsing
	#grok {
	#	match => ["message", "%{TIMESTAMP_ISO8601:logDate}"]
		#match => ["message", "%{TIMESTAMP_ISO8601:logDate} - \[%{WORD:AppName} - %{WORD:ServerName}\] - \[%{WORD:ThreadNumber}\] %{WORD:LevelType} %{GREEDYDATA:MainText}"]
		#remove_field => [ "message" ,"host"] 
	#	} 
}

# See documentation for different protocols:
# http://logstash.net/docs/1.4.2/outputs/elasticsearch
output 
{
	stdout 
	{ 
		codec => rubydebug	
	}
  elasticsearch 
  {
	
    template_name => "test"
	template_overwrite => true
	host => ["btsesbest1","btsesbest2"]
    port => "9200"
    protocol => "http"
	index => "test_app_%{+yyyy.MM}"
  }
}
4

I might add it is logstash 1.5.1
Not the best subject, but not sure how else to classify it.