Grok pattern fails although it is valid

dr01 · June 11, 2018, 8:57am

I need to extract the first numeric value from this log line:

Summary for local -------------- Succeeded: 515 (changed=142) Failed: 0 -------------- Total: (etc.)

so this is my grok filter:

grok {
	match => { "message" => "\ASummary for local -------------- Succeeded: %{NUMBER:succeeded} %{GREEDYDATA:foo}" }
}

The filter works perfectly in Grokconstructor - Test grok patterns but it returns a _grokparsefailure when run in my ELK stack.

Why is that?

The source is a file ingested via Filebeat configured with multiline.

In general, I've found the grok plugin to be very fragile -- about 80% of the time it throws an error. I suspect it has issues correctly ingesting a message. For this reason I either use dissect, or mutate with gsub. Does anyone else have the same experience?

dr01 · June 11, 2018, 9:51am

I've even tried to replace the built-in grok patterns with regexes, but with no avail:

grok {
	match => { "message" => "\ASummary for local -------------- Succeeded: (?<succeeded>[0-9]+) (?<foo>.*) }
}

EDIT: This behaviour is very likely due to the multiline message, see Error with dissect filter. I'll do some tests and report here my findings.

system · July 9, 2018, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter fails when met with new line in multiline log Beats filebeat	3	1079	October 23, 2019
Grok parse failures Logstash	4	286	December 29, 2020
Error : "tags" => [ [0] "_grokparsefailure" ]..Grok filter error Logstash	22	2542	September 18, 2019
Multiline filter fails on one record when handling a large file Logstash	12	3280	July 6, 2017
Logstash - grokfilter is successful using grokdebug, but fails in live Logstash	14	584	September 6, 2021

Grok pattern fails although it is valid

Related Topics