Grok: tag_on_failure is not working and has no effect

meerlicht · April 27, 2021, 6:40am

Hi there,

I can't get my head around why this snippet successfully groks the message, but neither sets nor removes the tags. I've tried to set a custom tag and also removing all tags (as in the current snippet)

grok { 
  #tag_on_failure => ["grok_https"]
  tag_on_failure => [ ]
  match => { "action" => "\"%{DATA:http_method} %{DATA:http_req} %{DATA:http_version}\"$"}
}

I'm still getting the tag _grokparsefailure if the pattern fails.
Logstash 7.12.0 with Elasticsearch 7.12.0

Thanks for any indications...

system · May 25, 2021, 6:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to know wich grok is failing? Logstash	3	229	December 7, 2023
Adding tags to logs Logstash	8	751	August 31, 2017
[Feature request] Tag_on_failure for Logstash xml filter plugin Logstash	5	558	May 4, 2020
Grok multiple pattern and tag_on_failure for each pattern Logstash	5	5734	November 2, 2018
What is the equivalent of grock parse failure for a ruby script Logstash	2	217	March 5, 2020

Grok: tag_on_failure is not working and has no effect

Related Topics