Elasticsearch only shows the _grokparsefailure record, where are the matched ones?

Xinyan_Zhang · September 30, 2016, 8:09pm

At the beginning, my pattern is not correct, so every record is
unmatched and shown in elasticsearch as a whole line instead of
separated rows.
Then I changed my pattern which passes the http://grokdebug.herokuapp.com/. Now I can not see any of my new records in elasticsearch. My elasticsearch only shows the "_grokparsefailure" tagged records.

Where are the matched ones? thx

Xinyan_Zhang · October 4, 2016, 7:58pm

I found the root cause -- a configuration problem in logstash. I
chose a wrong type in the output section. I parse the message, assign
value to a variable named "type". So "type" has the wrong value.

Topic		Replies	Views
How Can I find unmatched logs with pattern grok? Logstash	2	1164	October 19, 2017
Can't see _grokparsefailure Logstash	1	482	March 6, 2018
Grok Matches but getting _grokparsefailure in Kibana Logstash	1	241	April 25, 2020
Is it possible to index only the matched log lines of grok in Logstash? Logstash	6	3094	March 5, 2017
Can't even parse very simple data and get _grokparsefailure as a tag Logstash	19	1072	December 12, 2018

Elasticsearch only shows the _grokparsefailure record, where are the matched ones?

Related topics