Grok failure inspite of all pattern getting parsed

I have a grok pattern
(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:abcid} in study %{NOTSPACE:xyzid}

and the message as

03/11/2019 08:56:41.909 AM:Debug:StorageService:0:<3> xyz::abc::StudyResourceProvider::GetComponentByNameProvider: Serializing result stream of 262160 bytes for component 1.3.46.670589.33.1.63687812345677469000001.533575123467382911231059 in study 1.3.46.670589.33.1.63687123456789980900001.4667668482223205023

All the fields in the grok pattern is being populated but at the same time the tag contain grokparsefailure. Any idea why this is so ...

What does your full config look like? Do you have any other grok expressions that could fail, in this or other files?

1 Like

You were right there was two grok filter inside one if condition which was causing this problem. For the benefit of user who might face the same problem, following is the change i did

if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
grok {
match => {
"message" => [
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 4",
"Filter 5"
]
}
}
}

modified to

if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3",
"Filter 4",
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 5"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.