Grok parse faliure filebeat 6.0

ramzey1981 · December 5, 2017, 3:17am

hello folks

i have the following filebeat log going to logstash

and the following logstash filter but the filter is throwing a grok parse failure. I am not certain why the if condition is not matching can you please advise. From the pastebin you can see that those fields are getting passed

input {
redis {
host => "localhost"
data_type => "list"
key => "filebeat"
}
}

filter {

if [fileset][module] == "nginx" {
grok {
add_tag => ["foundit"]
}
}
}

output {
#my output section here

}

magnusbaeck · December 5, 2017, 6:28am

If you unconditionally want to add a tag use a mutate filter and not a grok filter.

ramzey1981 · December 5, 2017, 3:56pm

Thanks Magnus for the prompt reply, I have actually added random tags within my logstash.conf file in other places to make sure the logs are hitting the correct if statements when the logstash process is filtering them. so I am a bit confused as why its working in other places but I will try your suggestion.

thanks

magnusbaeck · December 5, 2017, 7:55pm

add_tag and add_field work within any filter, but only when the filter considers the processing of the event successful. In the grok case those two options will only be processed if one of the grok expressions match. In your case you're not specifying any grok expression at all and hence the filter won't be successful and your add_tag will be ignored.

ramzey1981 · December 5, 2017, 8:15pm

thank you magnus for the explanation now i understand why my other filter grok add_tag attribute is working and i also got this one working as well.

cheers

system · January 2, 2018, 8:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.