Hi all, I've tried using logstash versions 6.8.1, 7.0 and 7.2 and, regardless of version, logstash seems to stop it's processing and begin consuming all the available CPU. It seems to be stuck with the grok filter. I suspect this is the case, because when I shut down logstash, I get messages regard…

That first pattern has 9 DATA patterns in it. It is going to be very expensive for it to determine that it does not match a field. Whereever possible, replace DATA with something else. If a field cannot contain a space then replace %{DATA:cipher} with (?<cipher>[^ ]+) and so on. Ideally you should…

Discuss the Elastic Stack

Determining reason for stuck grok filter

Elastic Stack Logstash

victor73 July 20, 2019, 12:17am 9

Looks like removing the multitude of grok patterns and using just one followed by the use of the kv filter, was the key to resolving this problem. Many thanks!

Topic		Replies	Views
Grock Parsing high CPU not stopping Logstash	5	618	June 22, 2019
CPU usage for logstash hits over 300% Logstash	6	1219	December 23, 2020
Logstash unresponsive after new grok pattern added Logstash	3	1007	July 6, 2017
Grok filter help! Logstash	5	590	September 15, 2018
High CPU on logstash cluster Logstash	5	905	August 22, 2017

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

Determining reason for stuck grok filter

Related topics