Broken grok after the update to Logstash 7.12

aviadhaham · April 12, 2021, 10:41am

Hello,

In my company, after upgrading our cluster to the latest version 7.12, we noticed that one of our grok patterns stopped working.

Important things to mention:

The pipeline is functioning correctly, logs are coming in
The pattern that is written above this one is working
We don't see any grokfailure tags
The same grok works in a grok debugger!

So basically, everything is working as desired, apart from this particular grok.

The pattern is

/%{DATA:AccountId}/%{DATA:StatsId}/%{GREEDYDATA:Filename}

An example input would be:

/4420/1021/vhhx13w31r92z1227d62914z41g2mbd11282o341nu.mp4

Please let us know what you think, as it seems like we tried everything on our end.

Thank you in advance!

Aviad

Badger · April 12, 2021, 4:25pm

If grok is not matching but you are not getting a _grokparsefailure tag then that suggests the source field does not exist.

aviadhaham · April 14, 2021, 7:55pm

Seems like it indeed doesn't exist, doesn't appear in Kibana, and not in the mapping of the index (no _source field was found).
Any advice?
Can I fix it?
@Badger

Badger · April 15, 2021, 3:03pm

If the source field does not exist then clearly you can fix it by creating the field, but we have no way of knowing how you should do that.

system · May 13, 2021, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.