Grok parse failure

Anca_Linca · March 21, 2024, 9:43am

Hi!

I am trying to parse a log that looks like this:

2024-03-21T09:33:14.187Z\t77bfdcb9-15439-5d254-96r4a-12c543f7\tDEBUG\t[logMetrics] [171101645.89459] Metrics:  {\n  fieldOne: 311,\n  fieldTwo: 36,\n  fieldThree: 347,\n  fieldFour: 50778,\n  fieldFive: 'AUSERID43',\n  fieldSix: 21,\n  fieldSeven: 471,\n  fieldEight: '1711013542.896099',\n  fieldNine: '171101645.89459',\n  fieldTen: true\n}\n

My grok filter looks like this:

grok {
           match => { "message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME}Z\\t%{DATA:requestId}\\t%{DATA:log_level}\\t\[%{DATA:function_name}\]%{SPACE}\[%{DATA}\]%{SPACE}Metrics:%{SPACE}\{\\n%{SPACE}fieldOne:%{SPACE}%{DATA:fieldOne}\,\\n%{SPACE}fieldTwo:%{SPACE}%{DATA:fieldTwo}\,\\n%{SPACE}fieldThree:%{SPACE}%{DATA:fieldThree}\,\\n%{SPACE}fieldFour:%{SPACE}%{DATA:fieldFour}\,\\n%{SPACE}fieldFive:%{SPACE}%{DATA:fieldFive}\,\\n%{SPACE}fieldSix:%{SPACE}%{DATA:fieldSix}\,\\n%{SPACE}fieldSeven:%{SPACE}%{DATA:fieldSeven}\,\\n%{SPACE}fieldEight:%{SPACE}%{DATA:fieldEight}\,\\n%{SPACE}fieldNine:%{SPACE}%{DATA:fieldNine}\,\\n%{SPACE}fieldTen:%{SPACE}%{DATA:fieldTen}\\n\}\\n" }
      }

I am getting a _grokparsefailure. Could you please tell me what am I doing wrong? Thank you!

Rios · March 21, 2024, 12:31pm

Well, it works on 8.12.2.
The result:

{
        "fieldNine" => "'171101645.89459'",
       "fieldThree" => "347",
        "fieldFour" => "50778",
        "requestId" => "77bfdcb9-15439-5d254-96r4a-12c543f7",
    "function_name" => "logMetrics",
         "fieldOne" => "311",
       "fieldSeven" => "471",
       "fieldEight" => "'1711013542.896099'",
        "log_level" => "DEBUG",
         "fieldSix" => "21",
         "fieldTwo" => "36",
          "message" => "2024-03-21T09:33:14.187Z\\t77bfdcb9-15439-5d254-96r4a-12c543f7\\tDEBUG\\t[logMetrics] [171101645.89459] Metrics:  {\\n  fieldOne: 311,\\n  fieldTwo: 36,\\n  fieldThree: 347,\\n  fieldFour: 50778,\\n  fieldFive: 'AUSERID43',\\n  fieldSix: 21,\\n  fieldSeven: 471,\\n  fieldEight: '1711013542.896099',\\n  fieldNine: '171101645.89459',\\n  fieldTen: true\\n}\\n",
         "fieldTen" => "true",
        "fieldFive" => "'AUSERID43'"
}

Anca_Linca · March 21, 2024, 12:44pm

Hi,

Thanks for the response. My version is 7.16.2
I finally got it to work. I had to remove all white spaces before using kv because logstash would throw "field name cannot contain only whitespace" error if I didn't use gsub. Solution below:

grok {
            match => { "message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{TIME}Z\s+%{DATA:requestId}\s+%{DATA:log_level}\s+\[%{DATA:function_name}\]\s+\[%{DATA}\]\s+Metrics:\s+%{GREEDYDATA:testOne}"}
       }
       mutate {
            gsub => [ "testOne", "\s+", "" ]
       }
       kv {
            source => "testOne"
            include_brackets => true
            field_split => ","
            value_split => ":"
       }

system · April 18, 2024, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.