Grok parse error in Kibana

kaj · March 6, 2020, 1:31am

I've been constructing a grok filter for a log that has lines like the one below:

2018-09-19 03:48:46.900-05:00 [HOST:hostname.domain.com][SERVER:VariableString][PID:35570][THR:3726157568][Kernel XML API][Trace] XML Command: <st><sst><st><cmd><get_svrdef_settings/></cmd></st></sst></st>

I've got the following grok that finally stopped erroring out in the logstash logs, but now does not actually parse correctly:

grok {
    match => { "message" => "%{DATA:logdate}\[HOST:%{DATA:host}\]\[SERVER:%{DATA:server}\]\[PID:%{BASE10NUM}:pid}\]\[THR:%{BASE10NUM}:thread\]\[Kernel XML API\]\[Trace\]\s*%{GREEDYDATA:xml_stuff}"}
        }

I've gone through a couple revisions including changing the first DATA to %{TIMESTAMP_ISO8601} but that had the same result.

Wolfram_Haussig · March 6, 2020, 7:40am

Hi,

Try this:

%{DATA:logdate}[HOST:%{DATA:host}][SERVER:%{DATA:server}][PID:%{BASE10NUM:pid}][THR:%{BASE10NUM:thread}][Kernel XML API][Trace] XML Command:\s*%{GREEDYDATA:xml_stuff}

You had an error in the PID and Thread grok. I also removed the text prefix from the XML part.

I simply used trhe grok debugger in Kibana: Debug grok expressions | Kibana Guide [8.11] | Elastic

Just copy your log entry and grok pattern into it and remove parts of the pattern until you find the error cause.

Best regards
Wolfram

Topic		Replies	Views
Logstash Grok Filter Error Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\" Logstash	4	887	May 9, 2021
Getting Grok Parse failure error Logstash docker	2	372	December 20, 2019
Grok parse failed, works good with grok debugger Logstash	6	2710	November 27, 2017
Grok parse failures .. Grok syntax Logstash	22	2486	November 9, 2018
_grokparsefailure in tags. Not able to change the format of the log Logstash	2	975	November 17, 2017

Grok parse error in Kibana

Related topics