Grok parse failures

naveenrt23 · December 1, 2020, 3:34pm

Hello I'm playing around with grok filters and i'm running into parse failures..Any idea whats wrong ?

Filters:

filter {
  if [type] == "app-data" {
    mutate {
      rename => ["env", "environment"]
    }
    grok {
      break_on_match => false
      match => {
      "message" => "^%{DATA:timestamp_local}\|%{DATA:log_level}\|%{DATA:ID}\|%{WORD:Type}\|%{WORD:stage}\|%{NUMBER:accountNumber}\|%{WORD:region}"
      }
    }
  }
}

Here's the input being provided:

2020-12-01T10:28:51.603Z|INFO|AP92|com.test.resource.6|preview-5|9244208|US-EAST-9

Here's the error i see:

{
           "tags" => [
        [0] "_grokparsefailure"
    ],
           "type" => "app-data",
       "hostName" => "ELB-1",
       "@version" => "1",
           "path" => "/Users/metrics-poc/filebeat-output.log",
           "host" => "MA81",
     "@timestamp" => 2020-12-01T15:28:52.967Z,
        "message" => "2020-12-01T10:28:51.603Z|INFO|AP92|com.test.resource.6|preview-5|9244208|US-EAST-9",
    "environment" => "prod"
}

Badger · December 1, 2020, 3:41pm

WORD will not match either of those fields. WORD match word characters, which are [a-zA-Z0-9_].

naveenrt23 · December 1, 2020, 3:46pm

Gotcha..What difference does it makes if we generalize the type to DATA which seems like applicable to almost everything?

Badger · December 1, 2020, 4:12pm

Sometimes DATA will not do what you expect. You might be better off with a custom pattern

<?(Type)[^|]*>

will match anything that is not a pipe character.

system · December 29, 2020, 4:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.