Elasticsearch grok processor error

saiergon · February 26, 2018, 2:52pm

hi, can anybody tell me why this is error:

POST /_ingest/pipeline/_simulate
{
"pipeline": {
"description": "filebeat pipeline",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{TIMESTAMP_ISO8601}:x"]
}
}
]
},
"docs": [
{
"_index": "index",
"_type": "_doc",
"_id": "id",
"_source": {
"message": "2017-10-12 13:12:32"
}
}
]
}

when i post this, the response is IllegalArgumentException, detailed error information is:

{
"docs": [
{
"error": {
"root_cause": [
{
"type": "exception",
"reason": "java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 13:12:32]",
"header": {
"processor_type": "grok"
}
}
],
"type": "exception",
"reason": "java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 13:12:32]",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 13:12:32]",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Provided Grok expressions do not match field value: [2017-10-12 13:12:32]"
}
},
"header": {
"processor_type": "grok"
}
}
}
]
}

thanks a lot

saiergon · February 27, 2018, 2:14am

it's my fault, i should use %{TIMESTAMP_ISO8601:x} instead of %{TIMESTAMP_ISO8601}:x...

saiergon · February 27, 2018, 2:54am

i found if i use elasticsearch grok processor, pattern TIMESTAMP_ISO8601 can not mach value "2017-10-12 1:12:32.232", but logstash grok can match. The follow is my use case

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "filebeat pipeline",
  "processors": [
    {"grok": {
      "field": "message",
      "patterns": ["%{TIMESTAMP_ISO8601:logtime}"]
    }
    }]
  },
  "docs": [
    {
      "_index": "index",
      "_type": "_doc",
      "_id": "id",
      "_source": {
        "message": "2017-10-12 1:12:32.232"
      }
    }
    ]
}

and the resonse is:

{
  "docs": [
    {
      "error": {
        "root_cause": [
          {
            "type": "exception",
            "reason": "java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 1:12:32.232]",
            "header": {
              "processor_type": "grok"
            }
          }
        ],
        "type": "exception",
        "reason": "java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 1:12:32.232]",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [2017-10-12 1:12:32.232]",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "Provided Grok expressions do not match field value: [2017-10-12 1:12:32.232]"
          }
        },
        "header": {
          "processor_type": "grok"
        }
      }
    }
  ]
}

but if i set message value as "2017-10-12 01:12:32.232", its ok. so the hour value must have two numbers in elasticsearch grok processor?

spinscale · February 27, 2018, 1:05pm

the ES grok processor is more strict here. You should try to avoid truncated representations of dates, as especially with different formatting this may lead to ambiguous dates.

saiergon · February 28, 2018, 2:09am

ok，thanks

system · March 28, 2018, 2:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.