Grok parse error in Kibana

kaj · March 6, 2020, 1:31am

I've been constructing a grok filter for a log that has lines like the one below:

2018-09-19 03:48:46.900-05:00 [HOST:hostname.domain.com][SERVER:VariableString][PID:35570][THR:3726157568][Kernel XML API][Trace] XML Command: <st><sst><st><cmd><get_svrdef_settings/></cmd></st></sst></st>

I've got the following grok that finally stopped erroring out in the logstash logs, but now does not actually parse correctly:

grok {
    match => { "message" => "%{DATA:logdate}\[HOST:%{DATA:host}\]\[SERVER:%{DATA:server}\]\[PID:%{BASE10NUM}:pid}\]\[THR:%{BASE10NUM}:thread\]\[Kernel XML API\]\[Trace\]\s*%{GREEDYDATA:xml_stuff}"}
        }

I've gone through a couple revisions including changing the first DATA to %{TIMESTAMP_ISO8601} but that had the same result.

Wolfram_Haussig · March 6, 2020, 7:40am

Hi,

Try this:

%{DATA:logdate}[HOST:%{DATA:host}][SERVER:%{DATA:server}][PID:%{BASE10NUM:pid}][THR:%{BASE10NUM:thread}][Kernel XML API][Trace] XML Command:\s*%{GREEDYDATA:xml_stuff}

You had an error in the PID and Thread grok. I also removed the text prefix from the XML part.

I simply used trhe grok debugger in Kibana: Debug grok expressions | Kibana Guide [8.11] | Elastic

Just copy your log entry and grok pattern into it and remove parts of the pattern until you find the error cause.

Best regards
Wolfram

system · April 3, 2020, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure in Kibana although Grok tester returns "matched" Logstash	6	335	August 10, 2018
Logstash grok parse failure, while kibana grok debugger works fine Logstash	2	660	March 21, 2020
Log Grok does not work Logstash	2	314	September 28, 2018
Grok parse failure in LogStash, but works in Kibana debugger Logstash	6	1761	January 23, 2019
Need Help for grok pattern for logstash-2.1.0 Logstash	2	572	July 6, 2017

Grok parse error in Kibana

Related topics