Hi, I have a log that has a json field inside that can have empty fields, specifically I have a date field, the log can be like this
"2022-11-28 09:24:46:705"|"+0100"|"transId: xxxxxx"|"resId: xxxxxx"|"1.1.1.1"|"https://example.com/xxxxxx"|"HTTP/1.1"|"EXE"|"GET"|"404"|" {"codCpi":"","codFis": "","codSap": "","codState": "","datBirth": "", "xml": ""}"|"token : xxxx"
Have this rule for match:
filter {
grok {
match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"%{DATA:tz}\"\|\"transId: %{GREEDYDATA:transactionId}\"\|\"resId: %{GREEDYDATA:responseId}\"\|\"%{IP:ip}\"\|\"%{GREEDYDATA:url}\"\|\"%{DATA:httpver}\"\|\"%{DATA:exe}\"\|\"%{WORD:httpverb}\"\|\"%{GREEDYDATA:httpCodeResponse}\"\|\"%{DATA:contentRequest}\"\|\"%{GREEDYDATA:token}\"" }
}
json {
source => "contentRequest"
}
}
With this match i have this error:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [datBirth] of type [date] in document with id 'VSFI54QBv1ziCbBLadWr'. Preview of field's value: ''", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"cannot parse empty date"}}}}
Instead, there is no error if the field datBirth is filled in
To confirm, are you only receiving this error for events where datBirth is empty, and parsing is successful when it's populated?
If so you could try specifying zero or one occurrences using the ? operator, as per the below:
Hi all,
Each line in my log file does not contain a source IP adderss so the
"message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{THREAD:thread}\s+(?:%{IP:ip})"
so it returns a "no mach" - from grok debugger. As result the the fields that I'm expecting to be created by the grok{} is not happening. So we tried to make the pattern for IP in this expression something like :
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{THREAD:thread}…
I confirm that if the field is filled in, it works.
leandrojmp
December 6, 2022, 12:58pm
4
You can remove the field if it is empty.
if [dateBirth] == "" {
mutate {
remove_field => ["dateBirth"]
}
}
1 Like
Sorry I did not understand
filter {
grok {
match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"%{DATA:tz}\"\|\"transId: %{GREEDYDATA:transactionId}\"\|\"resId: %{GREEDYDATA:responseId}\"\|\"%{IP:ip}\"\|\"%{GREEDYDATA:url}sap/API/SAP/codFiscale\/%{GREEDYDATA:codicefiscale}\"\|\"%{DATA:httpver}\"\|\"%{DATA:gruppo}\"\|\"%{WORD:httpverb}\"\|\"%{GREEDYDATA:httpCodeResponse}\"\|\"(?<contentRequest>{.*})\"\|\"%{GREEDYDATA:token}\"" }
}
json {
source => "contentRequest"
}
}
Thanks!
system
January 3, 2023, 1:17pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
