Elasticsearch GROK pattern failing even though it passes the debugger

mdiorio · January 14, 2019, 3:42pm

I've got an Elasticsearch pipeline grok processor to pull the timestamp out of a log file. Super simple. I tested it in the grok debugger and it works fine.

The pipeline is super simple:
{
"description" : "Parse Date from SQL Filebeat message",
"processors" : [
{
"grok": {
"field": "message",
"patterns": ["%{TIMESTAMP_ISO8601:log_timestamp}"],
"ignore_failure": true
}
}
]
}

As is my input:

2019-01-11 16:40:51.54 Logon Error: 18456, Severity: 14, State: 5.
2019-01-11 16:40:51.54 Logon Login failed for user 'abcdefg'. Reason: Could not find a login matching the name provided. [CLIENT: ]
2019-01-12 00:00:54.55 spid48s This instance of SQL Server has been using a process ID of 5660 since 1/9/2019 11:02:00 AM (local) 1/9/2019 4:02:00 PM (UTC). This is an informational message only; no user action is required.

However the filebeats log shows:

2019-01-11T15:50:52.107-0500 DEBUG [elasticsearch] elasticsearch/client.go:526 Bulk item insert failed (i=8, status=500): {"type":"exception","reason":"java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [\u00002\u00000\u00001\u00009\u0000-\u00000\u00001\u0000-\u00001\u00001\u0000 \u00001\u00005\u0000:\u00004\u00008\u0000:\u00001\u00006\u0000.\u00001\u00004\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n\u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000E\u0000r\u0000r\u0000o\u0000r\u0000:\u0000 \u00001\u00008\u00004\u00005\u00006\u0000,\u0000 \u0000S\u0000e\u0000v\u0000e\u0000r\u0000i\u0000t\u0000y\u0000:\u0000 \u00001\u00004\u0000,\u0000 \u0000S\u0000t\u0000a\u0000t\u0000e\u0000:\u0000 \u00005\u0000.\u0000\r\u0000]","caused_by":{"type":"illegal_argument_exception","reason":"java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [\u00002\u00000\u00001\u00009\u0000-\u00000\u00001\u0000-\u00001\u00001\u0000 \u00001\u00005\u0000:\u00004\u00008\u0000:\u00001\u00006\u0000.\u00001\u00004\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n\u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000E\u0000r\u0000r\u0000o\u0000r\u0000:\u0000 \u00001\u00008\u00004\u00005\u00006\u0000,\u0000 \u0000S\u0000e\u0000v\u0000e\u0000r\u0000i\u0000t\u0000y\u0000:\u0000 \u00001\u00004\u0000,\u0000 \u0000S\u0000t\u0000a\u0000t\u0000e\u0000:\u0000 \u00005\u0000.\u0000\r\u0000]","caused_by":{"type":"illegal_argument_exception","reason":"Provided Grok expressions do not match field value: [\u00002\u00000\u00001\u00009\u0000-\u00000\u00001\u0000-\u00001\u00001\u0000 \u00001\u00005\u0000:\u00004\u00008\u0000:\u00001\u00006\u0000.\u00001\u00004\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n\u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000 \u0000E\u0000r\u0000r\u0000o\u0000r\u0000:\u0000 \u00001\u00008\u00004\u00005\u00006\u0000,\u0000 \u0000S\u0000e\u0000v\u0000e\u0000r\u0000i\u0000t\u0000y\u0000:\u0000 \u00001\u00004\u0000,\u0000 \u0000S\u0000t\u0000a\u0000t\u0000e\u0000:\u0000 \u00005\u0000.\u0000\r\u0000]"}},"header":{"processor_type":"grok"}}

I had to put the ignore failure in there so at least I can get the logs into Elastic for now, but I need to be able to pull the timestamp for proper processing of the logs.

Thanks.

Brett_Larson · January 21, 2019, 4:04pm

Oddly I am getting this same error in Filebeat with IIS -

Provided Grok expressions do not match field value: [\u00002\u00000\u00001\u00009\u0000-\u00000\u00001\u0000-\u00001\u00003\u0000 \u00000\u00007\u0000:\u00003\u00005\u0000:\u00002\u00005\u0000 \u0000M\u0000C\u0000-\u00003\u00003\u0000B\u0000B\u00007\u00002\u00006\u0000E\u0000-\u00003\u0000B\u00002\u0000A\u0000-\u00004\u00001\u00003\u00002\u0000-\u0000B\u0000B\u00005\u00008\u0000-\u00004\u00001\u00007\u00004\u00004\u00000\u0000-\u0000C\u0000D\u0000 \u0000G\u0000E\u0000T\u0000 \u0000/\u0000g\u0000l\u0000o\u0000b\u0000a\u0000l\u0000/\u0000e\u0000r\u0000r\u0000o\u0000r\u0000s\u0000/\u00004\u00000\u00004\u0000 \u0000i\u0000t\u0000e\u0000m\u0000=\u0000%\u00002\u0000f\u0000g\u0000l\u0000o\u0000b\u0000a\u0000l\u0000%\u00002\u0000f\u0000n\u0000e\u0000w\u0000s\u0000-\u0000a\u0000n\u0000d\u0000-\u0000v\u0000i\u0000e\u0000w\u0000s\u0000%\u00002\u0000f\u0000a\u0000r\u0000t\u0000i\u0000c\u0000l\u0000e\u0000s\u0000%\u00002\u0000f\u0000h\u0000e\u0000n\u0000d\u0000e\u0000r\u0000s\u0000o\u0000n\u0000-\u0000g\u0000l\u0000o\u0000b\u0000a\u0000l\u0000-\u0000i\u0000n\u0000v\u0000e\u0000s\u0000t\u0000o\u0000r\u0000s\u0000-\u0000s\u0000u\u0000b\u0000m\u0000i\u0000t\u0000s\u0000-\u0000p\u0000l\u0000a\u0000n\u0000n\u0000i\u0000n\u0000g\u0000-\u0000a\u0000p\u0000p\u0000l\u0000i\u0000c\u0000a\u0000t\u0000i\u0000o\u0000n\u0000-\u0000f\u0000o\u0000r\u0000-\u0000s\u0000m\u0000i\u0000t\u0000h\u0000f\u0000i\u0000e\u0000l\u0000d\u0000-\u0000q\u0000u\u0000a\u0000r\u0000t\u0000e\u0000r\u0000&\u0000u\u0000s\u0000e\u0000r\u0000=\u0000e\u0000x\u0000t\u0000r\u0000a\u0000n\u0000e\u0000t\u0000%\u00005\u0000c\u0000A\u0000n\u0000o\u0000n\u0000y\u0000m\u0000o\u0000u\u0000s\u0000&\u0000s\u0000i\u0000t\u0000e\u0000=\u0000w\u0000e\u0000b\u0000s\u0000i\u0000t\u0000e\u0000&\u0000X\u0000-\u0000A\u0000R\u0000R\u0000-\u0000L\u0000O\u0000G\u0000-\u0000I\u0000D\u0000=\u0000a\u00005\u00002\u00003\u00006\u00001\u00007\u0000b\u0000-\u00009\u00003\u0000e\u00005\u0000-\u00004\u00007\u00003\u0000d\u0000-\u0000b\u0000d\u0000e\u00005\u0000-\u0000e\u00004\u0000c\u0000a\u0000b\u0000f\u0000a\u00003\u0000e\u00000\u00008\u00004\u0000 \u00004\u00004\u00003\u0000 \u0000-\u0000 \u00002\u00000\u00004\u0000.\u00001\u00005\u00006\u0000.\u00007\u0000.\u00002\u00000\u0000 \u0000M\u0000o\u0000z\u0000i\u0000l\u0000l\u0000a\u0000/\u00005\u0000.\u00000\u0000+\u0000(\u0000M\u0000a\u0000c\u0000i\u0000n\u0000t\u0000o\u0000s\u0000h\u0000;\u0000+\u0000I\u0000n\u0000t\u0000e\u0000l\u0000+\u0000M\u0000a\u0000c\u0000+\u0000O\u0000S\u0000+\u0000X\u0000+\u00001\u00000\u0000_\u00001\u00001\u0000_\u00002\u0000)\u0000+\u0000A\u0000p\u0000p\u0000l\u0000e\u0000W\u0000e\u0000b\u0000K\u0000i\u0000t\u0000/\u00006\u00000\u00001\u0000.\u00003\u0000.\u00009\u0000+\u0000(\u0000K\u0000H\u0000T\u0000M\u0000L\u0000,\u0000+\u0000l\u0000i\u0000k\u0000e\u0000+\u0000G\u0000e\u0000c\u0000k\u0000o\u0000)\u0000+\u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000/\u00009\u0000.\u00000\u0000.\u00002\u0000+\u0000S\u0000a\u0000f\u0000a\u0000r\u0000i\u0000/\u00006\u00000\u00001\u0000.\u00003\u0000.\u00009\u0000 \u0000A\u0000R\u0000R\u0000A\u0000f\u0000f\u0000i\u0000n\u0000i\u0000t\u0000y\u0000=\u00007\u00007\u00006\u0000f\u00008\u0000b\u0000d\u0000f\u0000e\u00004\u0000a\u00003\u00005\u00008\u0000c\u0000d\u0000b\u00001\u0000d\u00007\u00000\u00000\u00006\u00000\u00001\u00000\u0000d\u00009\u00003\u0000f\u00003\u00009\u0000d\u00004\u00006\u0000c\u0000f\u00000\u0000e\u00002\u00001\u00003\u00007\u00005\u00002\u00001\u00003\u00001\u0000c\u00003\u00005\u0000a\u00001\u00000\u00003\u00001\u00008\u0000f\u0000b\u00002\u00001\u00007\u00009\u00006\u0000;\u0000 \u0000-\u0000 \u0000o\u0000r\u0000i\u0000g\u0000i\u0000n\u0000-\u0000w\u0000w\u0000w\u0000-\u0000g\u0000l\u0000o\u0000b\u0000a\u0000l\u0000.\u0000n\u0000u\u0000v\u0000e\u0000e\u0000n\u0000.\u0000c\u0000o\u0000m\u0000 \u00002\u00000\u00000\u0000 \u00000\u0000 \u00000\u0000 \u00001\u00002\u00008\u00006\u00004\u0000 \u00002\u00007\u00006\u00002\u0000 \u00001\u00002\u00008\u0000\r\u0000]

system · February 18, 2019, 4:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok parser date processor problem Elasticsearch	5	539	November 23, 2020
Extract timestamp from the logline Beats filebeat	7	4413	September 12, 2019
Failed to parse [timestamp] Logstash	9	2704	May 17, 2017
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6118	June 15, 2017
GROK pattern and Debugger Logstash	3	279	September 2, 2020

Elasticsearch GROK pattern failing even though it passes the debugger

Related topics