Fileabeat grok fail "Provided Grok expressions do not match field value"

cythwell · August 16, 2018, 3:09am

Hi, my filebeat was got a grok error "Provided Grok expressions do not match field value" when publishing log to elasticsearch.
However, the pattern using was generated by Grok debugger and passed the test.

the log, for example, is like:
[Info](TXN)2018-08-13 11:50:16.990574 request_handler.cpp:221 Resp. 200 url=/origin/vod/720/hls0/index.m3u8 host=mingotest1.mingo.hag-dev.asuscomm.com srcAddr=172.16.1.78:53667 size=594 startTime="13/Aug/2018:11:50:16 +0800", sendTimeInMs=0, origin=mingotest1, cacheHit=HIT

and pipeline like:
get _ingest/pipeline/ocdn-core
{
"ocdn-core": {
"description": "Pipeline for parsing onwards ocdn-core logs.",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"""[%{WORD:core.level}](.)%{TIMESTAMP_ISO8601:core.access_time} . .* %{NUMBER:core.staus_code} url=%{DATA:core.url} host=%{DATA:core.host} srcAddr=%{DATA:core.client} size=%{NUMBER:core.size} startTime="%{HTTPDATE:core.start_time}", sendTimeInMs=%{NUMBER:core.send_time_in_ms}, origin=%{DATA:core.origin}, cacheHit=%{WORD:core.cache_status}"""
]
}
},
{
"remove": {
"field": "message"
}
}
]
}
}

and my filebeat configuration is:
output.elasticsearch:
hosts: ["192.168.2.212:9200"]
index: "onwards-ocdn-core-%{+yyyy.MM.dd}"
pipeline: "ocdn-core".
Filebeat version is： 6.3.2

Thanks

kvch · August 16, 2018, 6:34am

If the pattern is correct according to the Grok debugger, it usually means that Golang escaping is the problem when integrating into Filebeat.

This is the problem in your case also. Change [%{WORD:core.level}] to \\[%WORD:core.level}\\]. I haven't seen other "[" and "]" in your patterns. If you do have, change every occurences to \\[ and \\].

cythwell · August 16, 2018, 6:42am

Hi, @kvch I had actually add them when I put pipeline to es.

Josiah_Raiche · August 17, 2018, 12:40pm

Might not be your problem, but I ran into this recently and as a n00b I banged my head on it a while.

When your template is loaded the first time, it is saved in elasticsearch and doesn't get overwritten. You have to DELETE _/ingest/pipeline/[name] (from kibana devtools) to get it to use the new definition.

kvch · August 17, 2018, 2:45pm

Indeed. You can also run ./filebeat setup --pipelines -modules="{{ your module name }}" to update your pipeline.

system · September 14, 2018, 2:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.