_grokparsefailure tag not removed

mikygee · May 26, 2017, 7:30pm

Hello,

I'm strugling to get rid of these _grokparsefailure tags

Case 1:
Message
1.1.1.1 - - [26/May/2017:21:24:04 +0200] "GET /plugins/jqueryui/themes/classic/jquery-ui-1.10.4.custom.css?s=1450862292 HTTP/1.1" 200 6284 "https://server.domain.org/?_task=mail&_mbox=INBOX" "Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 Version/12.18"

Config

filter {
  if [program] == "nginx" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
       match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
        add_tag => [ "_grok_nginx_access_success" ]
        add_tag => ["Web"]
        add_tag => ["nginx_access"]
        remove_tag => ["_grokparsefailure"]
    }
  }
}

Result: The tags are added, the informations are extracted but _grokparsefailure is not removed

magnusbaeck · May 29, 2017, 5:21am

That's odd. Do you have another grok filter somewhere in your configuration? Keep in mind that Logstash reads all files in /etc/logstash/conf.d.

If you don't want a grok filter to add a _grokparsefailure tag the typical way of avoiding it is setting tag_on_failure to an empty list. That doesn't appear to be the problem in your case since you're saying it's adding the tags, which indicates that the grok filter is successful.

system · June 26, 2017, 5:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tags:_grokparsefailure Logstash	1	352	October 5, 2020
Problem tag _grokparsefailure Logstash	1	918	March 8, 2018
_grokparsefailure problem Logstash	3	355	September 4, 2019
Eliminating _grokparsefailure Logstash	5	2524	July 6, 2017
Logstash grokparsefailure Logstash	4	385	November 11, 2020

_grokparsefailure tag not removed

Related topics