_grokparsefailure tag not removed

mikygee · May 26, 2017, 7:30pm

Hello,

I'm strugling to get rid of these _grokparsefailure tags

Case 1:
Message
1.1.1.1 - - [26/May/2017:21:24:04 +0200] "GET /plugins/jqueryui/themes/classic/jquery-ui-1.10.4.custom.css?s=1450862292 HTTP/1.1" 200 6284 "https://server.domain.org/?_task=mail&_mbox=INBOX" "Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 Version/12.18"

Config

filter {
  if [program] == "nginx" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
       match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
        add_tag => [ "_grok_nginx_access_success" ]
        add_tag => ["Web"]
        add_tag => ["nginx_access"]
        remove_tag => ["_grokparsefailure"]
    }
  }
}

Result: The tags are added, the informations are extracted but _grokparsefailure is not removed

magnusbaeck · May 29, 2017, 5:21am

That's odd. Do you have another grok filter somewhere in your configuration? Keep in mind that Logstash reads all files in /etc/logstash/conf.d.

If you don't want a grok filter to add a _grokparsefailure tag the typical way of avoiding it is setting tag_on_failure to an empty list. That doesn't appear to be the problem in your case since you're saying it's adding the tags, which indicates that the grok filter is successful.

system · June 26, 2017, 5:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.