Availiable actions for _grokparsefailure (drop, mutate, ...) - need _grokparsefailure events in a separate file

jiona · August 7, 2018, 3:47pm

For further analysis I need only _grokparsefailure events in a separate file.
I thought instead of "drop" I could use "file" (like in the output section) but it doesnt work.
How can I do that or where can I find more information and explanationd about options for "_grokparsefailure"?

Kind regards
Jiona

Badger · August 7, 2018, 4:22pm

You can make the output conditional.

Something like

output {
    if "_grokparsefailure" in [tags] {
         file {
             ...
         }
    } else {
        ...some other output...
    }
}

jiona · August 7, 2018, 4:48pm

Looks good. That's my conditional output.
Now I need to wait until tomorrow

  else if [type] == "syslogdect500" {
    if "_grokparsefailure" in [tags] {
        file {"path" => "/tmp/gork_dect500_failure.txt"}
    }
    else {
        elasticsearch {
        hosts => ["*****:9200"]
        user => "*****"
        password => "*****"
        index => "syslogdect500-%{+YYYY.MM}"
        }
        #stdout { codec => rubydebug }
    }
  }

Kind regrads
Jiona

system · September 4, 2018, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.