GROK not able to read errors

rohit02bits · August 1, 2018, 11:00am

I amusing the following grok in my logstash config

filter{
grok{
match => { "message" => [ "%{TIMESTAMP_ISO8601:log_date} [%{NOTSPACE:thread}] %{LOGLEVEL:log_level} %{NOTSPACE:classname} - EventID:%{NOTSPACE:eventID},Status:%{WORD:status}", "%{TIMESTAMP_ISO8601:log_date} [%{NOTSPACE:thread}] %{LOGLEVEL:log_level} %{GREEDYDATA:msg}" ] }
add_tag => [ "%{eventID}" ]
add_tag => [ "%{status}" ]
}

  if "ERROR" not in [log_level] {
  if ",Status:" not in [message] {
       drop { }
  	  }
}

  date{
      match => ["log_date","ISO8601"]
  }
 }

I am getting the pattern above matched successfully and published to elk. The second part %{TIMESTAMP_ISO8601:log_date} [%{NOTSPACE:thread}] %{LOGLEVEL:log_level} %{GREEDYDATA:msg}

matches the error published. i have validated the same in GROK debugger. But i am not able to see any ERROR logs in the published index.

rohit02bits · August 1, 2018, 12:17pm

Thanks I resolved the issue.

system · August 29, 2018, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with coding Grok filter Logstash	5	1014	July 5, 2017
Syntax in filter Error log Logstash docker	6	397	March 14, 2020
GROK debugger the parsing works but not in logstash Logstash	3	357	December 25, 2018
Logstash _grokparsefailure error Logstash	21	8102	July 19, 2017
GROK filter throws ERROR Logstash	25	2643	September 6, 2018

GROK not able to read errors

Related topics