Broken grok after the update to Logstash 7.12

aviadhaham · April 12, 2021, 10:41am

Hello,

In my company, after upgrading our cluster to the latest version 7.12, we noticed that one of our grok patterns stopped working.

Important things to mention:

The pipeline is functioning correctly, logs are coming in
The pattern that is written above this one is working
We don't see any grokfailure tags
The same grok works in a grok debugger!

So basically, everything is working as desired, apart from this particular grok.

The pattern is

/%{DATA:AccountId}/%{DATA:StatsId}/%{GREEDYDATA:Filename}

An example input would be:

/4420/1021/vhhx13w31r92z1227d62914z41g2mbd11282o341nu.mp4

Please let us know what you think, as it seems like we tried everything on our end.

Thank you in advance!

Aviad

Badger · April 12, 2021, 4:25pm

If grok is not matching but you are not getting a _grokparsefailure tag then that suggests the source field does not exist.

aviadhaham · April 14, 2021, 7:55pm

Seems like it indeed doesn't exist, doesn't appear in Kibana, and not in the mapping of the index (no _source field was found).
Any advice?
Can I fix it?
@Badger

Badger · April 15, 2021, 3:03pm

If the source field does not exist then clearly you can fix it by creating the field, but we have no way of knowing how you should do that.

system · May 13, 2021, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tag ["_parsegrokfailure"] anyone could help me? Logstash	6	428	August 12, 2020
Logstash grok parse failure, while kibana grok debugger works fine Logstash	2	660	March 21, 2020
Logstash Grok pattern not reflecting in kibana Logstash	3	666	January 9, 2017
Broken Grok filter since V7.10.0 Logstash	3	295	February 23, 2022
Grok pattern OK in debugger, but parse failure in logstash Logstash	5	740	March 25, 2020

Broken grok after the update to Logstash 7.12

Related topics