Grok pattern all match but still grokparsefailure

txisme · November 14, 2016, 1:09pm

Hey,

so im parsing multiline logs using filebeat and logstash.
The multline pattern is made in filebeat like this:

multiline:
        pattern: '^Offset'
        negate: true
        match: after

one complete log looks like this:

Offset = 948639, Topic = LOGM, Source = NDM, Type = CreateSystemApiLog, Value = entry {
  correlationId: "gferw|NDM-5c59f6bd-9b11-4928-b5f6-6d76bcd58cd1"
  sourceId: "NDM"
  entryType: REQUEST
  entrySubType: END_POINT
  operation: READ
  user: "gferw"
  host: "10.130.16.18"
  uri: "/com.oiforum.json/ndm/network/1/endpoint/1311656127347565"
  timestamp: "2016-11-11T11:38:24.939Z"
}

im using http://grokconstructor.appspot.com/do/match to test the grok patterns and the results are this:

Every field is parsed with grok patterns correctly, but the grokconstructor website still gives error.

when i apply the same patterns to logstash and filebeat and then visualize the data generated, it always appears with the tag "_grokparsefailure" so i have no fields from the log. Why is this happening?

txisme · November 14, 2016, 2:47pm

found the error: invisible space right after the full grok pattern -.-'

system · December 12, 2016, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grokparsefailure in logstash when consuming beats Logstash	2	1001	October 17, 2017
Grok pattern to match Filebeat multiline input up to the first new line character Logstash	6	988	November 26, 2020
Grok filter failing multiline logs from filebeat Logstash	2	1385	August 22, 2018
Logstash grok pattern issue Logstash	3	341	October 9, 2019
Help with pattern Beats filebeat	1	344	August 31, 2018

Grok pattern all match but still grokparsefailure

Related Topics