_grokparsefailure tag not removed


I'm strugling to get rid of these _grokparsefailure tags

Case 1:
Message - - [26/May/2017:21:24:04 +0200] "GET /plugins/jqueryui/themes/classic/jquery-ui-1.10.4.custom.css?s=1450862292 HTTP/1.1" 200 6284 "https://server.domain.org/?_task=mail&_mbox=INBOX" "Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 Version/12.18"


filter {
  if [program] == "nginx" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
       match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
        add_tag => [ "_grok_nginx_access_success" ]
        add_tag => ["Web"]
        add_tag => ["nginx_access"]
        remove_tag => ["_grokparsefailure"]

Result: The tags are added, the informations are extracted but _grokparsefailure is not removed

That's odd. Do you have another grok filter somewhere in your configuration? Keep in mind that Logstash reads all files in /etc/logstash/conf.d.

If you don't want a grok filter to add a _grokparsefailure tag the typical way of avoiding it is setting tag_on_failure to an empty list. That doesn't appear to be the problem in your case since you're saying it's adding the tags, which indicates that the grok filter is successful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.