Grok doesn't work

Eduard_Kolesnikov · May 13, 2017, 1:26pm

Hello, i have some problem with grok.
my_config.conf:

input {
stdin {}
}

filter {
grok { }
}

output {
stdout { codec => rubydebug }
}

but grok doesn't work.
logs:

Sending Logstash's logs to /home/em/Downloads/logstash-5.4.0/logs which is now configured via log4j2.properties
[2017-05-13T16:16:18,507][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2017-05-13T16:16:18,528][INFO ][logstash.pipeline ] Pipeline main started
The stdin plugin is now waiting for input:
[2017-05-13T16:16:18,564][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
z
{
"@timestamp" => 2017-05-13T13:16:22.713Z,
"@version" => "1",
"host" => "em-MS-7971",
"message" => "z",
"tags" => [
[0] "_grokparsefailure"
]
}

Constantly produces a tag "_grokparsefailure"
Because of what it could happen?

Christian_Dahlqvist · May 13, 2017, 3:24pm

You have not configured grok to do anything at all and it seems that by default makes it report a failure as nothing could be matched. I am surprised it is starting up at all. What are you expecting it to do?

Eduard_Kolesnikov · May 13, 2017, 10:15pm

I just simplified to the simplest example. According to the official documentation everything should work. For example, I want to add a new tag, but

filter {
grok {
add_tag => ["new_tag"]
}
}

doesn't work and produced a similar error

Eduard_Kolesnikov · May 14, 2017, 6:03am

I understood the problem.
I thought that the absence of a field "match" would apply the filter to all logs. Its not true

system · June 11, 2017, 6:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.