Grok failure inspite of all pattern getting parsed

manikandanid · March 11, 2019, 1:34pm

I have a grok pattern
(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:abcid} in study %{NOTSPACE:xyzid}

and the message as

03/11/2019 08:56:41.909 AM:Debug:StorageService:0:<3> xyz::StudyResourceProvider::GetComponentByNameProvider: Serializing result stream of 262160 bytes for component 1.3.46.670589.33.1.63687812345677469000001.533575123467382911231059 in study 1.3.46.670589.33.1.63687123456789980900001.4667668482223205023

All the fields in the grok pattern is being populated but at the same time the tag contain grokparsefailure. Any idea why this is so ...

Christian_Dahlqvist · March 11, 2019, 1:52pm

What does your full config look like? Do you have any other grok expressions that could fail, in this or other files?

manikandanid · March 12, 2019, 3:58am

You were right there was two grok filter inside one if condition which was causing this problem. For the benefit of user who might face the same problem, following is the change i did

if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
grok {
match => {
"message" => [
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 4",
"Filter 5"
]
}
}
}

modified to

if [document_type] == "abc"
{
grok {
match => {
"message" => [
"Filter 1",
"Filter 2",
"Filter 3",
"Filter 4",
"(?(\d{2})/(\d{2})/(\d{4}) (\d{2}):(\d{2}):(\d{2}).(\d{3}) [A,P]M):.*::%{WORD:StudyAuthorityProviderType}: Serializing result stream of %{NUMBER:ImageSize:float} bytes for component %{NOTSPACE:ImageInstanceUID} in study %{NOTSPACE:StudyUID}",
"Filter 5"
]
}
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
}

system · April 9, 2019, 4:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grokparse failure even grok debugger fine Logstash	9	232	September 1, 2023
Grok filter 2 different logs Logstash	6	1340	July 6, 2017
Error : "tags" => [ [0] "_grokparsefailure" ]..Grok filter error Logstash	22	2549	September 18, 2019
Grok failure even after the fields were filtered out successfully Logstash	5	848	January 8, 2018
Grok Parse failure but passing configtest Logstash	6	7056	July 6, 2017

Grok failure inspite of all pattern getting parsed

Related topics