Grok parse faliure filebeat 6.0

Elastic Stack Logstash
1

hello folks

i have the following filebeat log going to logstash

https://pastebin.com/raw/hAGrDNLc

and the following logstash filter but the filter is throwing a grok parse failure. I am not certain why the if condition is not matching can you please advise. From the pastebin you can see that those fields are getting passed

input {
redis {
host => "localhost"
data_type => "list"
key => "filebeat"
}
}

filter {

if [fileset][module] == "nginx" {
grok {
add_tag => ["foundit"]
}
}
}

output {
#my output section here

}

2

If you unconditionally want to add a tag use a mutate filter and not a grok filter.

3

Thanks Magnus for the prompt reply, I have actually added random tags within my logstash.conf file in other places to make sure the logs are hitting the correct if statements when the logstash process is filtering them. so I am a bit confused as why its working in other places but I will try your suggestion.

thanks

4

add_tag and add_field work within any filter, but only when the filter considers the processing of the event successful. In the grok case those two options will only be processed if one of the grok expressions match. In your case you're not specifying any grok expression at all and hence the filter won't be successful and your add_tag will be ignored.

5

thank you magnus for the explanation now i understand why my other filter grok add_tag attribute is working and i also got this one working as well.

cheers

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.