While processing a large log file with logstash, we are getting grokparsefailure & dateparsefailure. We would like to know which line in the log file is causing the failure so that we can look into more details with grok debugger. A line number or the log message itself would help.
Currently, in the output filter we do this ::
if ("_grokparsefailure" in [tags]) {
file {
path => "./error.txt"
}
}
Is there a way to identify the line # or the offending message itself?
If you are sending them to elasticsearch then just do a search for documents with those tags. Otherwise send the event to another output only if it has the tag, just as you show.
Thanks for your quick response. Based on the first suggestion, we sent those to elasticsearch (irrespective of failure). There is only one line that is causing the failure (please see below). However from that, we could not identify which log entry in the file is causing the problem. How can we get that information please?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.