Grok parse exception

Sandhya_Rathinapandi · May 26, 2016, 9:31am

Hi

I am trying to convert the response time in seconds using the below ruby code in the filter segment.

         code => "event['responsetime'] = (event['responsetime'].to_f / 1000000)

This was throwing grok parse exception when the response time is 0.

Tried changing the code as below but still showing the same error.

                    code => "if event['responsetime'] !=0
                            event['responsetime'] = (event['responsetime'].to_f / 1000000)
                            else event['responsetime'] = 0.0
                    end

Kindly help to resolve this.

Thanks

magnusbaeck · May 26, 2016, 10:44am

I don't see why the change you made would make any difference. 0 / 1000000 is still 0. What does the grok filter look like?

Sandhya_Rathinapandi · May 26, 2016, 10:59am

any idea on why it is throwing grokparse.

Also I am using the below pattern for it. will this be a problem.

match => { "message" => "%{COMBINEDAPACHELOG} %{POSINT:responsetime}" }

magnusbaeck · May 26, 2016, 1:28pm

And what does a line of input look like, i.e. what kind of string are you trying to parse with that grok filter?

Sandhya_Rathinapandi · May 27, 2016, 6:11am

The String that I am trying to parse is apache logs something like below.

10.12.123.123 - - [04/Apr/2016:19:27:26 +0000] "GET /path/abc.mp4?a=true HTTP/1.1" 200 1545 "-" "-" 0 "-"

and it is of the format

%{COMBINEDAPACHELOG} %{POSINT:responsetime}

magnusbaeck · May 27, 2016, 11:19am

Your grok expression ends with POSINT but your example log line doesn't end with a positive integer.