Grok filter succeeds in unit test, in grok debugger, but fails in production

aadamovich · June 2, 2016, 12:50pm

Hi!

I have the following filter in Logstash:

filter { 
  if [type] == "weblogic" {
    multiline {
      pattern      => "^####"
      negate       => true
      what         => previous
    }
    grok {
      match => {
        "message"  => [ 
          '####<(?<timestamp>\w{3}\s+\d{1,2}, \d{4} \d{1,2}:\d{2}:\d{2} \w{2}) \w+> <%{DATA:severity}> <%{DATA:subsystem}> <%{DATA:machine}> <%{DATA:server}> <%{DATA:thread}> <%{DATA:user}> <%{DATA:diagnostic}> <%{DATA:transaction}> <%{DATA:raw_time}> <%{DATA:message_id}> <%{GREEDYDATA:message_text}' 
        ] 
      } 
      keep_empty_captures => true
    }
    mutate {
      gsub         => [ "message_text", ">\s*$", ""]
    }
    mutate {
      gsub         => [ "user", "[<>]", ""]
    }
    mutate {
      gsub         => [ "thread", "[\[\]]", ""]
    }
    date {
      match        => [ 
        "timestamp", 
        "MMM dd, yyyy hh:mm:ss a", 
        "MMM dd, yyyy h:mm:ss a",
        "MMM  d, yyyy hh:mm:ss a", 
        "MMM  d, yyyy h:mm:ss a" 
      ]
    }
  }

I tested it quite thoroughly with Grok Debugger app first and then even wrote a unit test (with more than 200 different log samples) for that using rspec from logstash and ran that unit test directly on the system where logstash is running. All passed.

But when logstash runs in production grok filter fails for all incoming. I take some of the failing lines and put them into unit test and unit test is passing with them. I'm stuck.

Here is an example log line:

####<Apr 19, 2016 10:57:42 AM CEST> <Info> <Security> <ncby-modd-wbl02> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1461056262679> <BEA-000000> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>

It's logstash 2.3.1.

Logstash is receiving data from filebeat 1.2.3. Could that be the reason?

Best regards,
Anndrey

magnusbaeck · June 14, 2016, 6:05pm

The grok filter works for me:

$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => [
      "message",
      '####<(?<timestamp>\w{3}\s+\d{1,2}, \d{4} \d{1,2}:\d{2}:\d{2} \w{2}) \w+> <%{DATA:severity}> <%{DATA:subsystem}> <%{DATA:machine}> <%{DATA:server}> <%{DATA:thread}> <%{DATA:user}> <%{DATA:diagnostic}> <%{DATA:transaction}> <%{DATA:raw_time}> <%{DATA:message_id}> <%{GREEDYDATA:message_text}'
    ]
  }
}
$ cat data
####<Apr 19, 2016 10:57:42 AM CEST> <Info> <Security> <ncby-modd-wbl02> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1461056262679> <BEA-000000> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
$ /opt/logstash/bin/logstash -f test.config < data
Settings: Default pipeline workers: 2
Pipeline main started
{
         "message" => "####<Apr 19, 2016 10:57:42 AM CEST> <Info> <Security> <ncby-modd-wbl02> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1461056262679> <BEA-000000> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>",
        "@version" => "1",
      "@timestamp" => "2016-06-14T18:04:23.251Z",
            "host" => "hallonet",
       "timestamp" => "Apr 19, 2016 10:57:42 AM",
        "severity" => "Info",
       "subsystem" => "Security",
         "machine" => "ncby-modd-wbl02",
          "thread" => "[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'",
        "raw_time" => "1461056262679",
      "message_id" => "BEA-000000",
    "message_text" => "Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}

You may find https://github.com/magnusbaeck/logstash-filter-verifier useful when testing filters (caveat: I'm the author).

aadamovich · June 14, 2016, 6:45pm

Hi Magnus,

Thanks a lot for your reply!

Filter is actually OK and it works fine when I use file input or stdin input, but the problem seems to be related to some weird combination of filebeat input and grok reg ex., because all messages (including the one above) fail in production with tags added to the message: beats_input_codec_plain_applied, _grokparsefailure. I have other log file formats that go the same path (filebeat -> logstash -> grok -> elasticsearch) and they work, but this particular one does not.

Best regards,
Andrey

Topic		Replies	Views
Logstash - grokfilter is successful using grokdebug, but fails in live Logstash	14	584	September 6, 2021
Works in Grok Debugger but not in logstash config file Logstash	2	507	January 8, 2019
Grokparse failure even grok debugger fine Logstash	9	228	September 1, 2023
Grok parse failures Logstash	4	286	December 29, 2020
Multiline filter fails on one record when handling a large file Logstash	12	3280	July 6, 2017

Grok filter succeeds in unit test, in grok debugger, but fails in production

Related Topics