_grokparsefailure tag not removed

mikygee · May 26, 2017, 7:30pm

Hello,

I'm strugling to get rid of these _grokparsefailure tags

Case 1:
Message
1.1.1.1 - - [26/May/2017:21:24:04 +0200] "GET /plugins/jqueryui/themes/classic/jquery-ui-1.10.4.custom.css?s=1450862292 HTTP/1.1" 200 6284 "https://server.domain.org/?_task=mail&_mbox=INBOX" "Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 Version/12.18"

Config

filter {
  if [program] == "nginx" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
       match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
        add_tag => [ "_grok_nginx_access_success" ]
        add_tag => ["Web"]
        add_tag => ["nginx_access"]
        remove_tag => ["_grokparsefailure"]
    }
  }
}

Result: The tags are added, the informations are extracted but _grokparsefailure is not removed

magnusbaeck · May 29, 2017, 5:21am

That's odd. Do you have another grok filter somewhere in your configuration? Keep in mind that Logstash reads all files in /etc/logstash/conf.d.

If you don't want a grok filter to add a _grokparsefailure tag the typical way of avoiding it is setting tag_on_failure to an empty list. That doesn't appear to be the problem in your case since you're saying it's adding the tags, which indicates that the grok filter is successful.

Topic		Replies	Views
Problem tag _grokparsefailure Logstash	1	943	March 8, 2018
Grokparsefailure tag - what does really it mean? Logstash	2	5348	January 8, 2019
Grok: tag_on_failure is not working and has no effect Logstash	1	407	May 25, 2021
Tags:_grokparsefailure Logstash	1	373	October 5, 2020
grokParseFailure but works on grokdebug tester Logstash	3	780	December 15, 2017

_grokparsefailure tag not removed

Related topics