Grok add_tag processed when no match was found

elady · March 19, 2020, 7:46pm

Hey.
I have the following configuration:

filter {
	grok {
		match => {
			"message" => "%{TIMESTAMP_ISO8601:event_timestamp}%{SPACE}%{DATA:log_level}%{SPACE}\[%{DATA:host}\]%{SPACE}\[%{DATA:tenant}\]%{SPACE}\[%{DATA:java_class}\]%{SPACE}-%{SPACE}<SchedulerTaskRunLog \[jobName=%{DATA:task}, tenantId=%{DATA:tenant}, startTime=%{TIMESTAMP_ISO8601:task_start_time}, endTime=%{TIMESTAMP_ISO8601:task_end_time}, status=%{DATA:status}, description=%{GREEDYDATA:text}\]>"
			"path" => "%{GREEDYDATA:filename}"
		}
		add_tag => ["scheduled_task1", "processed"]
	}

The problem is that the tags are being added even if there was no match.
I know there was no match because I take the event message from Kibana and uses the grok debugger with the same grok pattern and get an error.
Also, I don't see any of my parsed fields in the event.
Another thing is that according to the Kibana 100% of the events have the "scheduled_task1" tag. this is bad...

I will very much appreciate any ideas.
Thank you!

rcowart · March 20, 2020, 6:10pm

Since you are using only GREEDYDATA against the path field, it will always match. I would remove that from the grok filter, and set filename using a mutate filter.

Rob

How to install Elasticsearch & Kibana on Ubuntu - incl. hardware recommendations
What is the best storage technology for Elasticsearch?

elady · March 22, 2020, 10:39am

That was a good and elegant idea.
I have tried it but found out that my path field was then duplicated.
Apparently the path field is being populated in the input section, so I ended up removing the entire thing altogether and now it works.

Thank you very much for your quick respond, I feel like my configuration is much better now.

system · April 19, 2020, 10:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.