_grokparsefailure help

Hi all,

Seem to be having trouble getting some of my logs into logstash. Have been able to sucessfully work through most of my logs, but this last one is giving me grief.

Example line from logfile;

2019-10-01 22:25:54,903|1.2.5 Unhandled exception in ASP.NET

Logstash configuration section for file;

    grok {
  match => [ "message", "%{TIMESTAMP_ISO8601:log_timestamp}\|%{GREEDYDATA:messagedata"]
}

date {
  match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
  target => "@timestamp"
}

Output from STDOUT

{
"@timestamp" => 2019-10-10T22:43:41.120Z,
   "message" => "2019-10-01 22:25:54,903|1.2.5 Unhandled exception in ASP.NET",
    "fields" => {
    "log_type" => "episerver"
},
       "ecs" => {
    "version" => "1.0.1"
},
     "agent" => {
    "ephemeral_id" => "441f3686-545d-4772-8bf0-62c8ecbe80f4",
        "hostname" => "AKL-LT-IT3",
              "id" => "28a84e54-a366-43d5-bc07-2172be9b6518",
         "version" => "7.3.1",
            "type" => "filebeat"
},
     "input" => {
    "type" => "log"
},
  "@version" => "1",
      "tags" => [
    [0] "beats_input_codec_plain_applied",
    [1] "_grokparsefailure"
],
       "log" => {
    "offset" => 526394,
      "file" => {
        "path" => "C:\\Temp\\EpiServer\\EPiServerLog.txt.2019-10-01"
    }
}

}

Thoughts?

Cheers, Andrew

Turned out to be a missing parenthesis in the grok pattern

match => [ "message", "%{TIMESTAMP_ISO8601:log_timestamp}\|%{GREEDYDATA:messagedata"]

}

Updated to

match => [ "message", "%{TIMESTAMP_ISO8601:log_timestamp}\|%{GREEDYDATA:messagedata}"]
}

Logstash did not pick up on the missing } and still loaded the config

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.