Break_on_match not working

Elastic Stack Logstash
1

After upgrading to 7.1.0, the logic seems to have changed.
I used to have this grok:
grok {
match => { "message" => "webapp=%{URIPATH:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} hits=%{BASE10NUM:hits} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}" }
match => { "message" => "webapp=%{DATA:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}" }
match => { "message" => "%{GREEDYDATA}" }
}
So that if none of the first two worked it would grok the last one.

However after the upgrade, only the last match is invoked. I have tried moving the "greedy" one to the top of the list and then one of the two other match-lines are used correctly.
I have tried adding the break_on_match => true line, but that does not seem to do anything.
Can anyone verify this?

Regards

Jens Hyllegaard

2

the configuration is a bit strange... Could you try:

grok {
  match => { "message" => [ 
                 "webapp=%{URIPATH:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} hits=%{BASE10NUM:hits} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}",
                 "webapp=%{DATA:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}",
                 "%{GREEDYDATA}"
              ]
  }
}
3

I tried copying your example but it generated the following error:

[2019-06-07T09:50:17,595][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Expected one of #, => at line 20, column 11 (byte 694) after filter {\n\tif [type] == \"syslog\" {\n\t\tif [logsource] in [ \"solr1\", \"SOLR1\", \"solr2\", \"SOLR2\", \"solr3\", \"SOLR3\", \"solrudv\", \"SOLRUDV\", \"solrtst\", \"SOLRTST\" ] {\n\t\t\tgrok { \n\t\t\t  break_on_match => true\n\t\t\t  match => { \"message\" => [ \n\t\t                 \"webapp=%{URIPATH:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} hits=%{BASE10NUM:hits} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}\",\n\t\t                 \"webapp=%{DATA:webapp} path=%{URIPATH:path} params={%{GREEDYDATA:Params}} status=%{BASE10NUM:status} QTime=%{BASE10NUM:QTime2:int}\",\n\t\t                 \"%{GREEDYDATA}\"\n\t\t              ]\n\t\t\t}\n\n\t\t\tmutate ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:37:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}

I tried checking the formatting, but I was unable to make it work.
Also my own configuration was valid in 6.6?

4

I think you forgot to copy the last } in my Code example. There are two } at the end.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.