Grok Empty Field Parse Failure

mai_le · August 8, 2016, 10:05am

Hello,

I'm trying to parse the log below:

"------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;"

And sometimes I have emty fields like this:
"------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;;;"

Here is my grok:

grok {
match => { "message" => "------------------------------------------------------------------------------------------------------------------------\n(?<demand_time>%{DATE_EU} %{TIME});(?<response_time>%{DATE_EU} %{TIME});%{NOTSPACE:method};%{NOTSPACE:version};(?<return_code>(.)*?);(?<return_label>(.)*?);"}
}

I tried this grok with the grok debugger. It worked well with the both cases.
However, when I run this grok, I receive "_grokparsefailure".

Can anyone help me with this issue? Is there any error in my grok?

Thank you in advance for your help.

apelsina · August 8, 2016, 8:21pm

Try escape the newline symbol in your pattern: write '\\n' instead of '\n' in your config. For me it worked:


Pipeline main started
------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;
{
          "message" => "------------------------------------------------------------------------------------------------------------------------\\\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;9999;Error;",
         "@version" => "1",
       "@timestamp" => "2016-08-08T20:15:17.787Z",
             "host" => "homesweethome",
      "demand_time" => "01/03/2016 19:05:15",
    "response_time" => "01/03/2016 19:05:18",
           "method" => "Method",
          "version" => "V2.1",
      "return_code" => "9999",
     "return_label" => "Error"
}
------------------------------------------------------------------------------------------------------------------------\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;;;
{
          "message" => "------------------------------------------------------------------------------------------------------------------------\\\n01/03/2016 19:05:15;01/03/2016 19:05:18;Method;V2.1;;;",
         "@version" => "1",
       "@timestamp" => "2016-08-08T20:15:39.747Z",
             "host" => "homesweethome",
      "demand_time" => "01/03/2016 19:05:15",
    "response_time" => "01/03/2016 19:05:18",
           "method" => "Method",
          "version" => "V2.1"
}
Without '\n' escaped I got the _grokparsefailure, too.

mai_le · August 9, 2016, 7:43am

Thank you very much for your answer.

Finally it works well with this grok:

grok {
keep_empty_captures => true
match => { "message" => "------------------------------------------------------------------------------------------------------------------------\n(?<demand_time>%{DATE_EU} %{TIME});(?<response_time>%{DATE_EU} %{TIME});(?<method>[\w\d]+);(?<version>[\w\d\.]+);(?<return_code>(.)*?);(?<return_label>(.)*?);"}
}

I added "keep_empty_captures => true" to keep my empty values.

Best regards.

chimbo84 · May 23, 2017, 6:47pm

I am having this issue as well but your fix is not helping.

grok:

  grok {
    keep_empty_captures => true
    match => {
    message => "%{TIMESTAMP_ISO8601:DateTime},%{WORD:event_type},%{BASE10NUM:log_ver},%{BASE10NUM:imsi},%{BASE10NUM:imei},%{WORD:tmsi},%{BASE10NUM:mcc},%{BASE10NUM:mnc},%{BASE10NUM:lac},%{WORD:acceptorreject},%{BASE10NUM:cause_code},%{WORD:IsInWhitelist},%{WORD:IsAGuest}"
    }
  }

Line I am trying to parse:
2017-05-23 13:04:33.042118+00:00,CSLUR,3,310410878882193,355609069998000,,,,7002,A,0,U,G

Any help would be appreciated!