Drop GrokParseFailure if message exactly equals "\r, \r\n and \n"

Sameer_Panicker · April 17, 2016, 6:45pm

     "message" => "\r",
  "@timestamp" => "2016-04-17T18:40:43.136Z",
        "Path" => "C:/Logs/HttpEventSource 1.txt",
        "Type" => "HttpEventSource",
"GrokFailures" => [
    [0] "_grokparsefailure"
]

My Conf -
if (("_grokparsefailure" in [tags]) and ("message" == "\r" or "message" == "\n" or "message" == "\r\n"))
{
drop {}
}
else
{
mutate
{
rename => { "tags" => "GrokFailures" }
}
}

It is still not droping the event. What am I doing wrong here ???

Sameer_Panicker · April 19, 2016, 2:48am

Can anyone please provide any update on this ?

bhatch · April 19, 2016, 5:02pm

Does it go directly to the mutate/rename portion every time? Or does it rename the field, but just doesn't drop the record?

I had problems getting the "_grokparsefailure" in [tags] line to work in the past. But since the field only existed if there was a grokparsefailure, I changed it to read:

if ![tags] {
    mutate {...}
}

It basically says "If the field doesn't exist, then go on and run the mutate command". For your case, remove the exclamation mark so that it runs when the field exists.

If that still doesn't work, start going piece by piece until you find the area that doesn't match but should. For example, remove the message portion and just have the [tags] portion. Does it work then? If so then remove the [tags] portion and just run the message portions. Does it work then?

Sameer_Panicker · April 19, 2016, 9:46pm

[quote="bhatch, post:3, topic:47591"]
Does it go directly to the mutate/rename portion every time? Or does it rename the field, but just doesn't drop the record?
[/quote] It does'nt drops the value and YES it directly goes to Mutate and renames.

[quote="bhatch, post:3, topic:47591"]
It basically says "If the field doesn't exist, then go on and run the mutate command". For your case, remove the exclamation mark so that it runs when the field exists.

If that still doesn't work, start going piece by piece until you find the area that doesn't match but should. For example, remove the message portion and just have the [tags] portion. Does it work then? If so then remove the [tags] portion and just run the message portions. Does it work then?
[/quote]I will give a try

system · July 6, 2017, 5:01am