Filtered Log messages show up as empty fields in Kibana

Chma · September 28, 2022, 7:04pm

I have filtered my log message using grok. But when I check Kibana, I find the new fields on the left side of the page, but they are empty. I am also getting the _grokparsefailure tag.

Here's an example of my log message:

[2022-09-28 18:11:25,144] {processor.py:641} INFO - Processing file /opt/airflow/dags/dag_filtered.py for tasks to queue

Here's my logstash config file:

input {
  beats {
    port => 5044
    codec => "line"
  }
}
filter{
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}]%{DATA:class} %{SPACE}%{LOGLEVEL:loglevel} -%{GREEDYDATA:logMessage}" }
    overwrite => [ "message" ]
  }
  date {
    match => [ "timestamp", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss", "ISO8601" ]
    target => "@timestamp"
  }
}
output {
  elasticsearch {
    hosts => ["${IP}:9200"]
    index =>"logss-%{+YYYY.MM.dd}"
  }
}

And here's my filebeat configuration:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: true
  paths:
    - /home/ubuntu/logs/**/*.log
filebeat.config.modules:
  path: /etc/filebeat/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
output.logstash:
  hosts: ["${ip}:5044"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - drop_fields:
      fields: ["agent", "cloud", "ecs", "host", "input", "tags", "log.offset"]
      ignore_missing: true

When I test my log message and the grok pattern I have on Grok Debugger, it works fine. So what am I missing?

Rios · October 1, 2022, 2:02am

I don't think this sample has issues. I have tested your line, it's produced:

{
         "class" => " {processor.py:641}",
     "timestamp" => "2022-09-28 18:11:25,144",
      "loglevel" => "INFO",
    "logMessage" => " Processing file /opt/airflow/dags/dag_filtered.py for tasks to queue",
    "@timestamp" => 2022-09-28T16:11:25.144Z,
       "message" => "[2022-09-28 18:11:25,144] {processor.py:641} INFO - Processing file /opt/airflow/dags/dag_filtered.py for tasks to queue",
        
}

Most likely another line cause a problem. This is a little bit improved grok(without braces and space) with error handling:

filter{
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}]\s*{%{DATA:class}}\s*%{LOGLEVEL:loglevel}\s*-\s*%{GREEDYDATA:logMessage}" }
  }
  
  date { match => [ "timestamp", "ISO8601" ] }

}

output {
 if ("_grokparsefailure" in [tags]) {
  elasticsearch {
    hosts => ["${IP}:9200"]
    index =>"grokfailure-%{+YYYY.MM.dd}"
  }
  # optionally
  file { path => "/path/grok_failure_%{+YYYY-MM-dd}.txt" }
 }
 else {
   elasticsearch {
    hosts => ["${IP}:9200"]
    index =>"logss-%{+YYYY.MM.dd}"
  }
 }

}

system · October 29, 2022, 2:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtered Log messages show up as empty fields in Kibana Logstash	8	599	October 27, 2022
Grok fields are not visible in kibana Logstash	9	3383	July 6, 2017
Grok filter confusion - Am I missing something? Logstash	9	4081	July 6, 2017
Not displaying fields specified in the Logstash filter Logstash	11	4653	July 6, 2017
Logstash debugger tool shows matched for filter but new fields don't appear on Kibana Logstash	3	605	January 18, 2018

Filtered Log messages show up as empty fields in Kibana

Related topics