GrokParse Failure Reason

Miguel_Leite · October 30, 2018, 10:03am

I have the following logstash configuration:

 xml {
                        source => "message"
                        target => "parsed_listen"
                        force_array => false
                        add_tag => [ "xml_applied" ]
                }

                mutate { rename => {"[parsed_listen][txt]" => "[parsed_txt]"} }

                grok {
                        match => { "parsed_txt" => ["%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{DATA:[service_msg]} \* %{DATA:[address_prt]} \* %{WORD:[conn_type]} \* %{WORD:[scatex_host]} \* %{INT:[code]}"] }
                        add_tag => [ "grok1" ]
                }

                if "grok1" not in [tags] {
                        grok {
                                match => { "parsed_txt" => ["%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{DATA:[lsnr_msg]} \* %{WORD:[scatex_host]} \* %{INT:[code]}",
                                                            "%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{WORD:[action]} \* %{INT:[code]}"] }
                        }
                }

                else if "grok1" in [tags] {

                        grok {
                                match => { "address_prt" => ["\(ADDRESS=\(PROTOCOL=(?<prt>[^)]*)\)\(HOST=(?<host>[^)]*)\)\(PORT=(?<port>[^)]*)\)"] }
                        }
                        grok {
                                match => { "service_msg" => ["\(CONNECT_DATA=\(SERVICE_NAME=(?<srvc_name>[^)]*)\)\(CID=\(PROGRAM=(?<cid_prgm>[^)]*)\)\(HOST=(?<cid_hostname>[^)]*)\)\(USER=(?<cid_username>[^)]*)\)\)",
                                                             "\(CONNECT_DATA=\(SID=(?<sid_name>[^)]*)\)\(CID=\(PROGRAM=(?<cid_prgm>[^)]*)\)\(HOST=(?<cid_hostname>[^)]*)\)\(USER=(?<cid_username>[^)]*)\)\)"] }
                        }
                }

I'm not sure why is giving _grokparsefailure, since it parses the fields that are supposed to parse, as I can see it on Kibana... Any ideas?

Appreciate all the help!!

Jenni · October 30, 2018, 11:54am

It will be pretty difficult to find out what might be wrong with your pattern, if you don't tell us WHAT it is trying to parse

Miguel_Leite · October 30, 2018, 12:17pm

True, sorry about that!!

I was trying to parse the listener log from OracleDB which can have multiple formats... I allready reached the solution, and I will leave it here for other users...

            xml {
                    source => "message"
                    target => "parsed_listen"
                    force_array => false
            }

            mutate { rename => {"[parsed_listen][txt]" => "[parsed_txt]"} }

            if "parsed_txt" =~ /CONNECT_DATA/ {

                    grok {
                            match => { "parsed_txt" => ["%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{DATA:[service_msg]} \* %{DATA:[address_prt]} \* %{WORD:[conn_type]} \* %{WORD:[scatex_host]} \* %{INT:[code]}"] }
                            add_tag => [ "grok1" ]
                    }
            }

            else {

                    grok {
                            match => { "parsed_txt" => ["%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{DATA:[lsnr_msg]} \* %{WORD:[scatex_host]} \* %{INT:[code]}",
                                                        "%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} \* %{WORD:[action]} \* %{INT:[code]}"] }
                    }
            }

            if "grok1" in [tags] {

                    grok {
                            match => { "address_prt" => ["\(ADDRESS=\(PROTOCOL=(?<prt>[^)]*)\)\(HOST=(?<host>[^)]*)\)\(PORT=(?<port>[^)]*)\)"] }
                    }
                    grok {
                            match => { "service_msg" => ["\(CONNECT_DATA=\(SERVICE_NAME=(?<srvc_name>[^)]*)\)\(CID=\(PROGRAM=(?<cid_prgm>[^)]*)\)\(HOST=(?<cid_hostname>[^)]*)\)\(USER=(?<cid_username>[^)]*)\)\)",
                                                         "\(CONNECT_DATA=\(SID=(?<sid_name>[^)]*)\)\(CID=\(PROGRAM=(?<cid_prgm>[^)]*)\)\(HOST=(?<cid_hostname>[^)]*)\)\(USER=(?<cid_username>[^)]*)\)\)"] }
                    }
            }

system · November 27, 2018, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.