Grok pattern fails although it is valid

dr01 · June 11, 2018, 8:57am

I need to extract the first numeric value from this log line:

Summary for local -------------- Succeeded: 515 (changed=142) Failed: 0 -------------- Total: (etc.)

so this is my grok filter:

grok {
	match => { "message" => "\ASummary for local -------------- Succeeded: %{NUMBER:succeeded} %{GREEDYDATA:foo}" }
}

The filter works perfectly in Grokconstructor - Test grok patterns but it returns a _grokparsefailure when run in my ELK stack.

Why is that?

The source is a file ingested via Filebeat configured with multiline.

In general, I've found the grok plugin to be very fragile -- about 80% of the time it throws an error. I suspect it has issues correctly ingesting a message. For this reason I either use dissect, or mutate with gsub. Does anyone else have the same experience?

dr01 · June 11, 2018, 9:51am

I've even tried to replace the built-in grok patterns with regexes, but with no avail:

grok {
	match => { "message" => "\ASummary for local -------------- Succeeded: (?<succeeded>[0-9]+) (?<foo>.*) }
}

EDIT: This behaviour is very likely due to the multiline message, see Error with dissect filter. I'll do some tests and report here my findings.

system · July 9, 2018, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter fails when met with new line in multiline log Beats filebeat	3	1080	October 23, 2019
Grok filter throwing error for valid pattern Logstash	5	823	April 22, 2018
Grok parse failures Logstash	4	286	December 29, 2020
Greedydata does not work Logstash	11	2922	July 6, 2017
Multiline filter fails on one record when handling a large file Logstash	12	3283	July 6, 2017

Grok pattern fails although it is valid

Related topics