I have a grok pattern
(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:abcid} in study %{NOTSPACE:xyzid}
and the message as
03/11/2019 08:56:41.909 AM:Debug:StorageService:0:<3> xyz:
:StudyResourceProvider::GetComponentByNameProvider: Serializing result stream of 262160 bytes for component 1.3.46.670589.33.1.63687812345677469000001.533575123467382911231059 in study 1.3.46.670589.33.1.63687123456789980900001.4667668482223205023
All the fields in the grok pattern is being populated but at the same time the tag contain grokparsefailure. Any idea why this is so ...
What does your full config look like? Do you have any other grok expressions that could fail, in this or other files?
You were right there was two grok filter inside one if condition which was causing this problem. For the benefit of user who might face the same problem, following is the change i did
if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
grok {
match => {
"message" => [
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 4",
"Filter 5"
]
}
}
}
modified to
if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3",
"Filter 4",
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 5"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
}