Grok works on Grok debugger but got Grokparsefailure in logstash

syunusic · August 12, 2021, 3:45pm

If I go to http://grokdebug.herokuapp.com/ or the GROK debugger in Kibana and use this sample and this grok, works fine.. but if I run it in logstash, I get a grokfailure tag:
Sample:

NSX 2281528 - [nsx@6876 comp=\"nsx-esx\" subcomp=\"mpa-client\" tid=\"2281586\" level=\"INFO\"] [AggSvc-L2-Bridging] SendRequest: To Master APH, Publish, type (com.vmware.nsx.management.aggservice.l2.HostLogicalPortStatusMsg) correlationId () Success.

and this is the grok:

NSX (?<nsx_numero>[^ ]+) - \[nsx@(?<nsx_numero_despuesdelaarroba>[^ ]+) comp=\\\"(?<nsx_comp>[^\\]+)\\\" subcomp=\\\"(?<nsx_subcomp>[^\\]+)\\\" tid=\\\"(?<nsx_tid>[^\\]+)\\\" level=\\\"(?<nsx_level>[^\\]+)\\\"\] \[(?<nsx_blah1>[^\]]+)\](\[(?<nsx_blah2>[^\]]+)\]|)(|:) %{GREEDYDATA:nsx_mensaje_final}

Where is the problem?
I’m positive is related to the escapes, but I can't find the problem.

Badger · August 12, 2021, 3:57pm

input { generator { count => 1 lines => [ 'NSX 2281528 - [nsx@6876 comp=\"nsx-esx\" subcomp=\"mpa-client\" tid=\"2281586\" level=\"INFO\"] [AggSvc-L2-Bridging] SendRequest: To Master APH, Publish, type (com.vmware.nsx.management.aggservice.l2.HostLogicalPortStatusMsg) correlationId () Success.' ] } }
filter {
    grok { match => { "message" => "NSX (?<nsx_numero>[^ ]+) - \[nsx@(?<nsx_numero_despuesdelaarroba>[^ ]+) comp=\\\"(?<nsx_comp>[^\\]+)\\\" subcomp=\\\"(?<nsx_subcomp>[^\\]+)\\\" tid=\\\"(?<nsx_tid>[^\\]+)\\\" level=\\\"(?<nsx_level>[^\\]+)\\\"\] \[(?<nsx_blah1>[^\]]+)\](\[(?<nsx_blah2>[^\]]+)\]|)(|:) %{GREEDYDATA:nsx_mensaje_final}" } }
}
output { stdout { codec => rubydebug { metadata => false } } }

works just fine for me

                   "nsx_level" => "INFO",
                   "nsx_blah1" => "AggSvc-L2-Bridging",
                    "nsx_comp" => "nsx-esx",
                 "nsx_subcomp" => "mpa-client",
                  "nsx_numero" => "2281528",

etc.

syunusic · August 12, 2021, 5:57pm

If I run exactly your configuration works fine.. so the problem is not the grok itself. This is my configuration where the problem occurs:

input
{
file { path => "/tmp/lala.json" start_position => "beginning" ignore_older => 15552000 codec => "json" }

}
filter
{
        grok { match => { "syslog_message" => "NSX (?<nsx_numero>[^ ]+) - \[nsx@(?<nsx_numero_despuesdelaarroba>[^ ]+) comp=\\\"(?<nsx_comp>[^\\]+)\\\" subcomp=\\\"(?<nsx_subcomp>[^\\]+)\\\" tid=\\\"(?<nsx_tid>[^\\]+)\\\" level=\\\"(?<nsx_level>[^\\]+)\\\"\] \[(?<nsx_blah1>[^\]]+)\](\[(?<nsx_blah2>[^\]]+)\]|)(|:) %{GREEDYDATA:nsx_mensaje_final}" } }
}
output
{
stdout { codec => rubydebug }
}

And this is the lala.json file:

{"product":"vmware","@version":"1","@timestamp":"2021-08-12T06:20:50.000Z","client":"client","hostname":"esxi","program":"nsx-exporter","message":"Aug 12 02:20:50 esxi nsx-exporter: NSX 2281528 - [nsx@6876 comp=\"nsx-esx\" subcomp=\"mpa-client\" tid=\"2281586\" level=\"INFO\"] [AggSvc-L2-Bridging] SendRequest: To Master APH, Publish, type (com.vmware.nsx.management.aggservice.l2.BridgeEndpointsOnBridgeNodeMsg) correlationId () Success.","type":"syslog","syslog_message":"NSX 2281528 - [nsx@6876 comp=\"nsx-esx\" subcomp=\"mpa-client\" tid=\"2281586\" level=\"INFO\"] [AggSvc-L2-Bridging] SendRequest: To Master APH, Publish, type (com.vmware.nsx.management.aggservice.l2.BridgeEndpointsOnBridgeNodeMsg) correlationId () Success.","message_program":"nsx-exporter","host":"data"}

Any ideas on where can be the problem?

Badger · August 12, 2021, 6:17pm

"syslog_message":"NSX 2281528 - [nsx@6876 comp="nsx-esx" subcomp="mpa-client" tid="2281586" level="INFO"]

The double quotes within syslog_message are escaped so that they do not terminate the value of the field. They are not really there. So

tid=\\\"(?<nsx_tid>[^\\]+)\\\"

should be

tid="(?<nsx_tid>[^"]+)"

etc.

syunusic · August 12, 2021, 6:47pm

Your answer was on the right track, but not quite what you said. At the end this is what I nedded to do: Not to "double" escape everything, but was neccesary to escape it once... if that makes any sense.. this is the grok that worked at the end:

grok { match => { "syslog_message" => "NSX (?<nsx_numero>[^ ]+) - \[nsx@(?<nsx_numero_despuesdelaarroba>[^ ]+) comp=\"(?<nsx_comp>[^\"]+)\" subcomp=\"(?<nsx_subcomp>[^\"]+)\" tid=\"(?<nsx_tid>[^\"]+)\" level=\"(?<nsx_level>[^\"]+)\"\] \[(?<nsx_blah1>[^\]]+)\](\[(?<nsx_blah2>[^\]]+)\]|)(|:) %{GREEDYDATA:nsx_mensaje_final}" } }

so, in your example would be:

tid=\"(?<nsx_tid>[^\"]+)\"

Thanks for your help!

Badger · August 12, 2021, 6:55pm

Oh, yeah, of course. Otherwise the " terminates the grok pattern and logstash would complain.

system · September 9, 2021, 6:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.