Availiable actions for _grokparsefailure (drop, mutate, ...) - need _grokparsefailure events in a separate file

jiona · August 7, 2018, 3:47pm

For further analysis I need only _grokparsefailure events in a separate file.
I thought instead of "drop" I could use "file" (like in the output section) but it doesnt work.
How can I do that or where can I find more information and explanationd about options for "_grokparsefailure"?

Kind regards
Jiona

Badger · August 7, 2018, 4:22pm

You can make the output conditional.

Something like

output {
    if "_grokparsefailure" in [tags] {
         file {
             ...
         }
    } else {
        ...some other output...
    }
}

jiona · August 7, 2018, 4:48pm

Looks good. That's my conditional output.
Now I need to wait until tomorrow

  else if [type] == "syslogdect500" {
    if "_grokparsefailure" in [tags] {
        file {"path" => "/tmp/gork_dect500_failure.txt"}
    }
    else {
        elasticsearch {
        hosts => ["*****:9200"]
        user => "*****"
        password => "*****"
        index => "syslogdect500-%{+YYYY.MM}"
        }
        #stdout { codec => rubydebug }
    }
  }

Kind regrads
Jiona

system · September 4, 2018, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to exclude bad output (lines not matching 'grok' pattern) from logstash? Logstash	9	22937	November 4, 2022
If _jsonparsefailure in [tags] Logstash	4	8796	February 26, 2017
If _grokparsefailure break condition Logstash	2	3459	April 4, 2018
I want to save all _grokparsefailure entries in a file to review them later, however Logstash	6	584	June 28, 2021
Appeared _grokparsefailure, unable to parse specific lines from log file Logstash	1	218	January 11, 2021

Availiable actions for _grokparsefailure (drop, mutate, ...) - need _grokparsefailure events in a separate file

Related topics