Hi!
I have little problem with Logstash 1.5.2 and grok filtering.. My Logstash get messages from syslog and grok have problems with one of them - it is adding _grokparsefailure_syslog tag. When I put message to stdin everything goes well. Here is grok filter rule:
"message" => ["USER_DN=\"CN=%{WORD:firstname} %{WORD:lastname}", "JOB_ID_LIST=\"CREAM%{NUMBER:cream_id}", "AbsJobId=slurm\/%{NUMBER}\/%{NUMBER:job_id}"]
I'm using Java 1.8.0_45.
Any suggestions?
The syslog input uses grok internally, and that's what isn't matching (hence _grokparsefailure_syslog instead of _grokparsefailure). It seems the syslog input doesn't like what is sent to it, possibly because it's malformed.
The problem was with builtin syslog grok filter. Now I'm using TCP input plugin and use own syslog grok filter which is working with specific message type.
Thanks! 
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.