Grok multiple matches reports failures in an unexpected way

Sous_Lesquels · July 9, 2019, 4:16pm

I have this filter:

grok {
  break_on_match => false
  match => {
    'message' => [
      'a(?<a>\d+)',
      'b(?<b>\d+)'
    ]
  }
}

and this input file:

a11
b21
a31 b32

When run, this parses correctly, i.e. I get three events:

{a => 11}
{b => 21}
{a => 31, b => 32}

as expected. However, I also get tags => ["_grokparsefailure"] on the first event. Why only on the first (and in particular not on the second)?

If I modify the above to this:

grok {
  break_on_match => false
  match => {
    'message' => [
      'a(?<a>\d+)',
      'b(?<b>\d+)',
      'c(?<c>\d+)'
    ]
  }
}

then I get tags => ["_grokparsefailure"] on all three events.

My expectation is that I'd get _grokparsefailure only when all of the supplied matches fail. Is my expectation incorrect and is there a way to make grok work so that it reports failure only if all matches fail?

Badger · July 9, 2019, 4:19pm

That is a known issue.

Sous_Lesquels · July 9, 2019, 4:23pm

@Badger Ah... No workarounds at the moment?

Badger · July 9, 2019, 4:24pm

None that I know of.

Sous_Lesquels · July 9, 2019, 4:25pm

Cool ty @Badger

system · August 6, 2019, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok multiple pattern and tag_on_failure for each pattern Logstash	5	5755	November 2, 2018
GROK Multiple Match - Logstash Logstash	4	27103	July 6, 2017
Multiple match option in grok Logstash	8	15731	May 24, 2017
Grok filter sequence Logstash	2	1123	April 21, 2017
GROK multiple MATCH filters Logstash	3	5583	July 6, 2017

Grok multiple matches reports failures in an unexpected way

Related topics