Hello all. I'm new to Logstash/ELK and a pretty weak coder. I'm trying to tidy up a filter which uses Grok and running into an error. Basically I've got a given log file and a filter that works but after adding a couple of addidtional Grok statements (to mark two specific events for use with Elap…

You don't want the _grokparsefailure tag, but that's grok's way of signalling that none of the expressions matched. But wait. The logic in my example is flawed and won't work if you have three or more grok filters. Do this instead: grok { ... tag_on_failure => [] add_tag => ["grok_success"] …

Grok with Else conditionals. How?

Elastic Stack Logstash

magnusbaeck (Magnus Bäck) November 11, 2016, 12:02pm 2

else blocks are connected to if conditionals, of which you have none. Try this pattern instead:

grok {
  ...
}
if "_grokparsefailure" in [tags] {
  grok {
    ...
  }
}
...

In other words, try new grok filters until the event gets a _grokparsefailure.

1 Like

Topic		Replies	Views
Logstash if statement not working probably Logstash	2	2352	December 25, 2015
Logstash if statement not working correctly Logstash	1	1637	July 6, 2017
Logstash grokparsefailure when multiple IF ELSE in use Logstash	2	484	January 14, 2019
_grokparsefailure tag added to log entries Logstash	4	695	August 10, 2017
If/Else not working as expected in filter Logstash	3	23357	May 14, 2018

Grok with Else conditionals. How?

Related topics